Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
Fwd UPS Needs Info for Customs Clearance - 1Z8809676740430639.msg

Overview

General Information

Sample name:Fwd UPS Needs Info for Customs Clearance - 1Z8809676740430639.msg
Analysis ID:1524433
MD5:c72f54d8d9136005ae5b18a955ed1c44
SHA1:eb9ce2a4870573facdc886ed69ba4f7764652f80
SHA256:43259db3feeb8aba5774ab20c2bd61f29ddb30d76a40b4c5ee966d8b73ec62d5
Infos:

Detection

Score:1
Range:0 - 100
Whitelisted:false
Confidence:80%

Signatures

Queries the volume information (name, serial number etc) of a device
Sigma detected: Office Autorun Keys Modification
Stores large binary data to the registry

Classification

Process Tree

  • System is w10x64
  • OUTLOOK.EXE (PID: 6220 cmdline: "C:\Program Files (x86)\Microsoft Office\Root\Office16\OUTLOOK.EXE" /f "C:\Users\user\Desktop\Fwd UPS Needs Info for Customs Clearance - 1Z8809676740430639.msg" MD5: 91A5292942864110ED734005B7E005C0)
    • ai.exe (PID: 7052 cmdline: "C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Office16\ai.exe" "02BC0F51-100C-414A-86A8-520306ED225E" "CCF64258-7661-4EF1-9DDE-0E2313AFEAB8" "6220" "C:\Program Files (x86)\Microsoft Office\Root\Office16\OUTLOOK.EXE" "WordCombinedFloatieLreOnline.onnx" MD5: EC652BEDD90E089D9406AFED89A8A8BD)
  • cleanup

Malware Configuration

No configs have been found

Yara Signatures

No yara matches

Sigma Signatures

Sigma detected: Office Autorun Keys Modification
Source: Registry Key setAuthor: Victor Sergeev, Daniil Yugoslavskiy, Gleb Sukhodolskiy, Timur Zinniatullin, oscd.community, Tim Shelton, frack113 (split): Data: Details: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 , EventID: 13, EventType: SetValue, Image: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE, ProcessId: 6220, TargetObject: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\16.0\Outlook\Addins\OneNote.OutlookAddin\1

Suricata Signatures

No Suricata rule has matched

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

There are no malicious signatures, click here to show all signatures.

Source: 9297CC53-F8BD-4F4A-9418-01A4E8653192.0.drString found in binary or memory: http://b.c2r.ts.cdn.office.net/pr
Source: 9297CC53-F8BD-4F4A-9418-01A4E8653192.0.drString found in binary or memory: http://f.c2r.ts.cdn.office.net/pr
Source: 9297CC53-F8BD-4F4A-9418-01A4E8653192.0.drString found in binary or memory: http://olkflt.edog.officeapps.live.com/olkflt/outlookflighting.svc/api/glides
Source: 9297CC53-F8BD-4F4A-9418-01A4E8653192.0.drString found in binary or memory: http://weather.service.msn.com/data.aspx
Source: 9297CC53-F8BD-4F4A-9418-01A4E8653192.0.drString found in binary or memory: https://addinsinstallation.store.office.com/app/acquisitionlogging
Source: 9297CC53-F8BD-4F4A-9418-01A4E8653192.0.drString found in binary or memory: https://addinsinstallation.store.office.com/app/download
Source: 9297CC53-F8BD-4F4A-9418-01A4E8653192.0.drString found in binary or memory: https://addinsinstallation.store.office.com/appinstall/authenticated
Source: 9297CC53-F8BD-4F4A-9418-01A4E8653192.0.drString found in binary or memory: https://addinsinstallation.store.office.com/appinstall/preinstalled
Source: 9297CC53-F8BD-4F4A-9418-01A4E8653192.0.drString found in binary or memory: https://addinsinstallation.store.office.com/appinstall/unauthenticated
Source: 9297CC53-F8BD-4F4A-9418-01A4E8653192.0.drString found in binary or memory: https://addinsinstallation.store.office.com/orgid/appinstall/authenticated
Source: 9297CC53-F8BD-4F4A-9418-01A4E8653192.0.drString found in binary or memory: https://addinslicensing.store.office.com/apps/remove
Source: 9297CC53-F8BD-4F4A-9418-01A4E8653192.0.drString found in binary or memory: https://addinslicensing.store.office.com/commerce/query
Source: 9297CC53-F8BD-4F4A-9418-01A4E8653192.0.drString found in binary or memory: https://addinslicensing.store.office.com/entitlement/query
Source: 9297CC53-F8BD-4F4A-9418-01A4E8653192.0.drString found in binary or memory: https://addinslicensing.store.office.com/orgid/apps/remove
Source: 9297CC53-F8BD-4F4A-9418-01A4E8653192.0.drString found in binary or memory: https://addinslicensing.store.office.com/orgid/entitlement/query
Source: 9297CC53-F8BD-4F4A-9418-01A4E8653192.0.drString found in binary or memory: https://analysis.windows.net/powerbi/api
Source: 9297CC53-F8BD-4F4A-9418-01A4E8653192.0.drString found in binary or memory: https://apc.learningtools.onenote.com/learningtoolsapi/v2.0/getfreeformspeech
Source: 9297CC53-F8BD-4F4A-9418-01A4E8653192.0.drString found in binary or memory: https://api.aadrm.com
Source: 9297CC53-F8BD-4F4A-9418-01A4E8653192.0.drString found in binary or memory: https://api.aadrm.com/
Source: 9297CC53-F8BD-4F4A-9418-01A4E8653192.0.drString found in binary or memory: https://api.addins.omex.office.net/api/addins/search
Source: 9297CC53-F8BD-4F4A-9418-01A4E8653192.0.drString found in binary or memory: https://api.addins.omex.office.net/appinfo/query
Source: 9297CC53-F8BD-4F4A-9418-01A4E8653192.0.drString found in binary or memory: https://api.addins.omex.office.net/appstate/query
Source: 9297CC53-F8BD-4F4A-9418-01A4E8653192.0.drString found in binary or memory: https://api.addins.store.office.com/addinstemplate
Source: 9297CC53-F8BD-4F4A-9418-01A4E8653192.0.drString found in binary or memory: https://api.addins.store.office.com/app/query
Source: 9297CC53-F8BD-4F4A-9418-01A4E8653192.0.drString found in binary or memory: https://api.addins.store.officeppe.com/addinstemplate
Source: 9297CC53-F8BD-4F4A-9418-01A4E8653192.0.drString found in binary or memory: https://api.cortana.ai
Source: 9297CC53-F8BD-4F4A-9418-01A4E8653192.0.drString found in binary or memory: https://api.diagnostics.office.com
Source: 9297CC53-F8BD-4F4A-9418-01A4E8653192.0.drString found in binary or memory: https://api.diagnosticssdf.office.com
Source: 9297CC53-F8BD-4F4A-9418-01A4E8653192.0.drString found in binary or memory: https://api.diagnosticssdf.office.com/v2/feedback
Source: 9297CC53-F8BD-4F4A-9418-01A4E8653192.0.drString found in binary or memory: https://api.diagnosticssdf.office.com/v2/file
Source: 9297CC53-F8BD-4F4A-9418-01A4E8653192.0.drString found in binary or memory: https://api.microsoftstream.com
Source: 9297CC53-F8BD-4F4A-9418-01A4E8653192.0.drString found in binary or memory: https://api.microsoftstream.com/api/
Source: 9297CC53-F8BD-4F4A-9418-01A4E8653192.0.drString found in binary or memory: https://api.office.net
Source: 9297CC53-F8BD-4F4A-9418-01A4E8653192.0.drString found in binary or memory: https://api.officescripts.microsoftusercontent.com/api
Source: 9297CC53-F8BD-4F4A-9418-01A4E8653192.0.drString found in binary or memory: https://api.onedrive.com
Source: 9297CC53-F8BD-4F4A-9418-01A4E8653192.0.drString found in binary or memory: https://api.powerbi.com/v1.0/myorg/datasets
Source: 9297CC53-F8BD-4F4A-9418-01A4E8653192.0.drString found in binary or memory: https://api.powerbi.com/v1.0/myorg/groups
Source: 9297CC53-F8BD-4F4A-9418-01A4E8653192.0.drString found in binary or memory: https://api.powerbi.com/v1.0/myorg/imports
Source: 9297CC53-F8BD-4F4A-9418-01A4E8653192.0.drString found in binary or memory: https://api.scheduler.
Source: 9297CC53-F8BD-4F4A-9418-01A4E8653192.0.drString found in binary or memory: https://apis.live.net/v5.0/
Source: 9297CC53-F8BD-4F4A-9418-01A4E8653192.0.drString found in binary or memory: https://apis.mobile.m365.svc.cloud.microsoft
Source: 9297CC53-F8BD-4F4A-9418-01A4E8653192.0.drString found in binary or memory: https://app.powerbi.com
Source: 9297CC53-F8BD-4F4A-9418-01A4E8653192.0.drString found in binary or memory: https://arc.msn.com/v4/api/selection
Source: 9297CC53-F8BD-4F4A-9418-01A4E8653192.0.drString found in binary or memory: https://asgsmsproxyapi.azurewebsites.net/
Source: 9297CC53-F8BD-4F4A-9418-01A4E8653192.0.drString found in binary or memory: https://augloop.office.com
Source: 9297CC53-F8BD-4F4A-9418-01A4E8653192.0.drString found in binary or memory: https://augloop.office.com/v2
Source: 9297CC53-F8BD-4F4A-9418-01A4E8653192.0.drString found in binary or memory: https://augloop.office.com;https://augloop-int.officeppe.com;https://augloop-dogfood.officeppe.com;h
Source: 9297CC53-F8BD-4F4A-9418-01A4E8653192.0.drString found in binary or memory: https://autodiscover-s.outlook.com/
Source: 9297CC53-F8BD-4F4A-9418-01A4E8653192.0.drString found in binary or memory: https://autodiscover-s.outlook.com/autodiscover/autodiscover.xml
Source: 9297CC53-F8BD-4F4A-9418-01A4E8653192.0.drString found in binary or memory: https://canary.designerapp.
Source: 9297CC53-F8BD-4F4A-9418-01A4E8653192.0.drString found in binary or memory: https://cdn.designerapp.osi.office.net
Source: 9297CC53-F8BD-4F4A-9418-01A4E8653192.0.drString found in binary or memory: https://cdn.designerapp.osi.office.net/designer-mobile
Source: 9297CC53-F8BD-4F4A-9418-01A4E8653192.0.drString found in binary or memory: https://cdn.designerapp.osi.office.net/designerapp/fonts
Source: 9297CC53-F8BD-4F4A-9418-01A4E8653192.0.drString found in binary or memory: https://cdn.designerapp.osi.office.net/designerapp/mobile-assets
Source: 9297CC53-F8BD-4F4A-9418-01A4E8653192.0.drString found in binary or memory: https://cdn.designerapp.osi.office.net/designerapp/mobile-dynamic-strings
Source: 9297CC53-F8BD-4F4A-9418-01A4E8653192.0.drString found in binary or memory: https://cdn.designerapp.osi.office.net/designerapp/mobile-home-screen
Source: 9297CC53-F8BD-4F4A-9418-01A4E8653192.0.drString found in binary or memory: https://cdn.entity.
Source: 9297CC53-F8BD-4F4A-9418-01A4E8653192.0.drString found in binary or memory: https://cdn.hubblecontent.osi.office.net/
Source: 9297CC53-F8BD-4F4A-9418-01A4E8653192.0.drString found in binary or memory: https://cdn.int.designerapp.osi.office.net/fonts
Source: 9297CC53-F8BD-4F4A-9418-01A4E8653192.0.drString found in binary or memory: https://client-office365-tas.msedge.net/ab
Source: 9297CC53-F8BD-4F4A-9418-01A4E8653192.0.drString found in binary or memory: https://clients.config.office.net
Source: 9297CC53-F8BD-4F4A-9418-01A4E8653192.0.drString found in binary or memory: https://clients.config.office.net/
Source: 9297CC53-F8BD-4F4A-9418-01A4E8653192.0.drString found in binary or memory: https://clients.config.office.net/c2r/v1.0/DeltaAdvisory
Source: 9297CC53-F8BD-4F4A-9418-01A4E8653192.0.drString found in binary or memory: https://clients.config.office.net/c2r/v1.0/InteractiveInstallation
Source: 9297CC53-F8BD-4F4A-9418-01A4E8653192.0.drString found in binary or memory: https://clients.config.office.net/user/v1.0/android/policies
Source: 9297CC53-F8BD-4F4A-9418-01A4E8653192.0.drString found in binary or memory: https://clients.config.office.net/user/v1.0/ios
Source: 9297CC53-F8BD-4F4A-9418-01A4E8653192.0.drString found in binary or memory: https://clients.config.office.net/user/v1.0/mac
Source: 9297CC53-F8BD-4F4A-9418-01A4E8653192.0.drString found in binary or memory: https://clients.config.office.net/user/v1.0/tenantassociationkey
Source: 9297CC53-F8BD-4F4A-9418-01A4E8653192.0.drString found in binary or memory: https://cloudfiles.onenote.com/upload.aspx
Source: 9297CC53-F8BD-4F4A-9418-01A4E8653192.0.drString found in binary or memory: https://config.edge.skype.com/config/v1/Office
Source: 9297CC53-F8BD-4F4A-9418-01A4E8653192.0.drString found in binary or memory: https://config.edge.skype.com/config/v2/Office
Source: 9297CC53-F8BD-4F4A-9418-01A4E8653192.0.drString found in binary or memory: https://consent.config.office.com/consentcheckin/v1.0/consents
Source: 9297CC53-F8BD-4F4A-9418-01A4E8653192.0.drString found in binary or memory: https://consent.config.office.com/consentweb/v1.0/consents
Source: 9297CC53-F8BD-4F4A-9418-01A4E8653192.0.drString found in binary or memory: https://cortana.ai
Source: 9297CC53-F8BD-4F4A-9418-01A4E8653192.0.drString found in binary or memory: https://cortana.ai/api
Source: 9297CC53-F8BD-4F4A-9418-01A4E8653192.0.drString found in binary or memory: https://cr.office.com
Source: 9297CC53-F8BD-4F4A-9418-01A4E8653192.0.drString found in binary or memory: https://d.docs.live.net
Source: 9297CC53-F8BD-4F4A-9418-01A4E8653192.0.drString found in binary or memory: https://dataservice.o365filtering.com
Source: 9297CC53-F8BD-4F4A-9418-01A4E8653192.0.drString found in binary or memory: https://dataservice.o365filtering.com/
Source: 9297CC53-F8BD-4F4A-9418-01A4E8653192.0.drString found in binary or memory: https://dataservice.o365filtering.com/PolicySync/PolicySync.svc/SyncFile
Source: 9297CC53-F8BD-4F4A-9418-01A4E8653192.0.drString found in binary or memory: https://dataservice.protection.outlook.com/PolicySync/PolicySync.svc/SyncFile
Source: 9297CC53-F8BD-4F4A-9418-01A4E8653192.0.drString found in binary or memory: https://dataservice.protection.outlook.com/PsorWebService/v1/ClientSyncFile/MipPolicies
Source: 9297CC53-F8BD-4F4A-9418-01A4E8653192.0.drString found in binary or memory: https://designerapp.azurewebsites.net
Source: 9297CC53-F8BD-4F4A-9418-01A4E8653192.0.drString found in binary or memory: https://dev.cortana.ai
Source: 9297CC53-F8BD-4F4A-9418-01A4E8653192.0.drString found in binary or memory: https://dev.virtualearth.net/REST/V1/GeospatialEndpoint/
Source: 9297CC53-F8BD-4F4A-9418-01A4E8653192.0.drString found in binary or memory: https://dev0-api.acompli.net/autodetect
Source: 9297CC53-F8BD-4F4A-9418-01A4E8653192.0.drString found in binary or memory: https://devnull.onenote.com
Source: 9297CC53-F8BD-4F4A-9418-01A4E8653192.0.drString found in binary or memory: https://directory.services.
Source: 9297CC53-F8BD-4F4A-9418-01A4E8653192.0.drString found in binary or memory: https://ecs.office.com
Source: 9297CC53-F8BD-4F4A-9418-01A4E8653192.0.drString found in binary or memory: https://ecs.office.com/config/v1/Designer
Source: 9297CC53-F8BD-4F4A-9418-01A4E8653192.0.drString found in binary or memory: https://ecs.office.com/config/v2/Office
Source: 9297CC53-F8BD-4F4A-9418-01A4E8653192.0.drString found in binary or memory: https://edge.skype.com/registrar/prod
Source: 9297CC53-F8BD-4F4A-9418-01A4E8653192.0.drString found in binary or memory: https://edge.skype.com/rps
Source: 9297CC53-F8BD-4F4A-9418-01A4E8653192.0.drString found in binary or memory: https://enrichment.osi.office.net/
Source: 9297CC53-F8BD-4F4A-9418-01A4E8653192.0.drString found in binary or memory: https://enrichment.osi.office.net/OfficeEnrichment/Refresh/v1
Source: 9297CC53-F8BD-4F4A-9418-01A4E8653192.0.drString found in binary or memory: https://enrichment.osi.office.net/OfficeEnrichment/Resolve/v1
Source: 9297CC53-F8BD-4F4A-9418-01A4E8653192.0.drString found in binary or memory: https://enrichment.osi.office.net/OfficeEnrichment/Search/v1
Source: 9297CC53-F8BD-4F4A-9418-01A4E8653192.0.drString found in binary or memory: https://enrichment.osi.office.net/OfficeEnrichment/StockHistory/v1
Source: 9297CC53-F8BD-4F4A-9418-01A4E8653192.0.drString found in binary or memory: https://enrichment.osi.office.net/OfficeEnrichment/ipcheck/v1
Source: 9297CC53-F8BD-4F4A-9418-01A4E8653192.0.drString found in binary or memory: https://enrichment.osi.office.net/OfficeEnrichment/v2.1601652342626
Source: 9297CC53-F8BD-4F4A-9418-01A4E8653192.0.drString found in binary or memory: https://enrichment.osi.office.net/OfficeEnrichment/web/Metadata/
Source: 9297CC53-F8BD-4F4A-9418-01A4E8653192.0.drString found in binary or memory: https://enrichment.osi.office.net/OfficeEnrichment/web/Metadata/metadata.json
Source: 9297CC53-F8BD-4F4A-9418-01A4E8653192.0.drString found in binary or memory: https://enrichment.osi.office.net/OfficeEnrichment/web/view/desktop/main.cshtml
Source: 9297CC53-F8BD-4F4A-9418-01A4E8653192.0.drString found in binary or memory: https://enrichment.osi.office.net/OfficeEnrichment/web/view/web/main.cshtml
Source: 9297CC53-F8BD-4F4A-9418-01A4E8653192.0.drString found in binary or memory: https://entitlement.diagnostics.office.com
Source: 9297CC53-F8BD-4F4A-9418-01A4E8653192.0.drString found in binary or memory: https://entitlement.diagnosticssdf.office.com
Source: 9297CC53-F8BD-4F4A-9418-01A4E8653192.0.drString found in binary or memory: https://eur.learningtools.onenote.com/learningtoolsapi/v2.0/getfreeformspeech
Source: 9297CC53-F8BD-4F4A-9418-01A4E8653192.0.drString found in binary or memory: https://excel.uservoice.com/forums/304936-excel-for-mobile-devices-tablets-phones-android
Source: 9297CC53-F8BD-4F4A-9418-01A4E8653192.0.drString found in binary or memory: https://fpastorage.cdn.office.net/%s
Source: 9297CC53-F8BD-4F4A-9418-01A4E8653192.0.drString found in binary or memory: https://fpastorage.cdn.office.net/firstpartyapp/addins.xml
Source: 9297CC53-F8BD-4F4A-9418-01A4E8653192.0.drString found in binary or memory: https://globaldisco.crm.dynamics.com
Source: 9297CC53-F8BD-4F4A-9418-01A4E8653192.0.drString found in binary or memory: https://graph.ppe.windows.net
Source: 9297CC53-F8BD-4F4A-9418-01A4E8653192.0.drString found in binary or memory: https://graph.ppe.windows.net/
Source: 9297CC53-F8BD-4F4A-9418-01A4E8653192.0.drString found in binary or memory: https://graph.windows.net
Source: 9297CC53-F8BD-4F4A-9418-01A4E8653192.0.drString found in binary or memory: https://graph.windows.net/
Source: 9297CC53-F8BD-4F4A-9418-01A4E8653192.0.drString found in binary or memory: https://hubblecontent.osi.office.net/contentsvc/api/pivots/
Source: 9297CC53-F8BD-4F4A-9418-01A4E8653192.0.drString found in binary or memory: https://hubblecontent.osi.office.net/contentsvc/api/telemetry
Source: 9297CC53-F8BD-4F4A-9418-01A4E8653192.0.drString found in binary or memory: https://hubblecontent.osi.office.net/contentsvc/browse?cp=remix3d
Source: 9297CC53-F8BD-4F4A-9418-01A4E8653192.0.drString found in binary or memory: https://hubblecontent.osi.office.net/contentsvc/browse?secureurl=1
Source: 9297CC53-F8BD-4F4A-9418-01A4E8653192.0.drString found in binary or memory: https://hubblecontent.osi.office.net/contentsvc/microsoftcontent?initpivot=icons
Source: 9297CC53-F8BD-4F4A-9418-01A4E8653192.0.drString found in binary or memory: https://hubblecontent.osi.office.net/contentsvc/microsoftcontent?initpivot=stockimages
Source: 9297CC53-F8BD-4F4A-9418-01A4E8653192.0.drString found in binary or memory: https://hubblecontent.osi.office.net/contentsvc/microsoftcontent?initpivot=stockvideos
Source: 9297CC53-F8BD-4F4A-9418-01A4E8653192.0.drString found in binary or memory: https://hubblecontent.osi.office.net/contentsvc/microsofticon?
Source: 9297CC53-F8BD-4F4A-9418-01A4E8653192.0.drString found in binary or memory: https://ic3.teams.office.com
Source: 9297CC53-F8BD-4F4A-9418-01A4E8653192.0.drString found in binary or memory: https://incidents.diagnostics.office.com
Source: 9297CC53-F8BD-4F4A-9418-01A4E8653192.0.drString found in binary or memory: https://incidents.diagnosticssdf.office.com
Source: 9297CC53-F8BD-4F4A-9418-01A4E8653192.0.drString found in binary or memory: https://inclient.store.office.com/gyro/client
Source: 9297CC53-F8BD-4F4A-9418-01A4E8653192.0.drString found in binary or memory: https://inclient.store.office.com/gyro/clientstore
Source: 9297CC53-F8BD-4F4A-9418-01A4E8653192.0.drString found in binary or memory: https://insertmedia.bing.office.net/images/hosted?host=office&adlt=strict&hostType=Immersive
Source: 9297CC53-F8BD-4F4A-9418-01A4E8653192.0.drString found in binary or memory: https://insertmedia.bing.office.net/images/officeonlinecontent/browse?cp=Bing
Source: 9297CC53-F8BD-4F4A-9418-01A4E8653192.0.drString found in binary or memory: https://insertmedia.bing.office.net/images/officeonlinecontent/browse?cp=ClipArt
Source: 9297CC53-F8BD-4F4A-9418-01A4E8653192.0.drString found in binary or memory: https://insertmedia.bing.office.net/images/officeonlinecontent/browse?cp=Facebook
Source: 9297CC53-F8BD-4F4A-9418-01A4E8653192.0.drString found in binary or memory: https://insertmedia.bing.office.net/images/officeonlinecontent/browse?cp=Flickr
Source: 9297CC53-F8BD-4F4A-9418-01A4E8653192.0.drString found in binary or memory: https://insertmedia.bing.office.net/images/officeonlinecontent/browse?cp=OneDrive
Source: 9297CC53-F8BD-4F4A-9418-01A4E8653192.0.drString found in binary or memory: https://insertmedia.bing.office.net/odc/insertmedia
Source: 9297CC53-F8BD-4F4A-9418-01A4E8653192.0.drString found in binary or memory: https://invites.office.com/
Source: 9297CC53-F8BD-4F4A-9418-01A4E8653192.0.drString found in binary or memory: https://learningtools.onenote.com/learningtoolsapi/v2.0/GetFreeformSpeech
Source: 9297CC53-F8BD-4F4A-9418-01A4E8653192.0.drString found in binary or memory: https://learningtools.onenote.com/learningtoolsapi/v2.0/Getvoices
Source: 9297CC53-F8BD-4F4A-9418-01A4E8653192.0.drString found in binary or memory: https://lifecycle.office.com
Source: 9297CC53-F8BD-4F4A-9418-01A4E8653192.0.drString found in binary or memory: https://login.microsoftonline.com
Source: 9297CC53-F8BD-4F4A-9418-01A4E8653192.0.drString found in binary or memory: https://login.microsoftonline.com/
Source: 9297CC53-F8BD-4F4A-9418-01A4E8653192.0.drString found in binary or memory: https://login.microsoftonline.com/organizations
Source: 9297CC53-F8BD-4F4A-9418-01A4E8653192.0.drString found in binary or memory: https://login.windows-ppe.net/common/oauth2/authorize
Source: 9297CC53-F8BD-4F4A-9418-01A4E8653192.0.drString found in binary or memory: https://login.windows.local
Source: 9297CC53-F8BD-4F4A-9418-01A4E8653192.0.drString found in binary or memory: https://login.windows.net/72f988bf-86f1-41af-91ab-2d7cd011db47/oauth2/authorize
Source: 9297CC53-F8BD-4F4A-9418-01A4E8653192.0.drString found in binary or memory: https://login.windows.net/common/oauth2/authorize
Source: 9297CC53-F8BD-4F4A-9418-01A4E8653192.0.drString found in binary or memory: https://loki.delve.office.com/api/v1/configuration/officewin32/
Source: 9297CC53-F8BD-4F4A-9418-01A4E8653192.0.drString found in binary or memory: https://lookup.onenote.com/lookup/geolocation/v1
Source: 9297CC53-F8BD-4F4A-9418-01A4E8653192.0.drString found in binary or memory: https://make.powerautomate.com
Source: 9297CC53-F8BD-4F4A-9418-01A4E8653192.0.drString found in binary or memory: https://management.azure.com
Source: 9297CC53-F8BD-4F4A-9418-01A4E8653192.0.drString found in binary or memory: https://management.azure.com/
Source: 9297CC53-F8BD-4F4A-9418-01A4E8653192.0.drString found in binary or memory: https://messagebroker.mobile.m365.svc.cloud.microsoft
Source: 9297CC53-F8BD-4F4A-9418-01A4E8653192.0.drString found in binary or memory: https://messaging.action.office.com/
Source: 9297CC53-F8BD-4F4A-9418-01A4E8653192.0.drString found in binary or memory: https://messaging.action.office.com/setcampaignaction
Source: 9297CC53-F8BD-4F4A-9418-01A4E8653192.0.drString found in binary or memory: https://messaging.action.office.com/setuseraction16
Source: 9297CC53-F8BD-4F4A-9418-01A4E8653192.0.drString found in binary or memory: https://messaging.engagement.office.com/
Source: 9297CC53-F8BD-4F4A-9418-01A4E8653192.0.drString found in binary or memory: https://messaging.engagement.office.com/campaignmetadataaggregator
Source: 9297CC53-F8BD-4F4A-9418-01A4E8653192.0.drString found in binary or memory: https://messaging.lifecycle.office.com/
Source: 9297CC53-F8BD-4F4A-9418-01A4E8653192.0.drString found in binary or memory: https://messaging.lifecycle.office.com/getcustommessage16
Source: 9297CC53-F8BD-4F4A-9418-01A4E8653192.0.drString found in binary or memory: https://messaging.office.com/
Source: 9297CC53-F8BD-4F4A-9418-01A4E8653192.0.drString found in binary or memory: https://metadata.templates.cdn.office.net/client/log
Source: 9297CC53-F8BD-4F4A-9418-01A4E8653192.0.drString found in binary or memory: https://mss.office.com
Source: 9297CC53-F8BD-4F4A-9418-01A4E8653192.0.drString found in binary or memory: https://my.microsoftpersonalcontent.com
Source: 9297CC53-F8BD-4F4A-9418-01A4E8653192.0.drString found in binary or memory: https://nam.learningtools.onenote.com/learningtoolsapi/v2.0/getfreeformspeech
Source: 9297CC53-F8BD-4F4A-9418-01A4E8653192.0.drString found in binary or memory: https://ncus.contentsync.
Source: 9297CC53-F8BD-4F4A-9418-01A4E8653192.0.drString found in binary or memory: https://ncus.pagecontentsync.
Source: 9297CC53-F8BD-4F4A-9418-01A4E8653192.0.drString found in binary or memory: https://o365auditrealtimeingestion.manage.office.com/api/userauditrecord
Source: 9297CC53-F8BD-4F4A-9418-01A4E8653192.0.drString found in binary or memory: https://ocos-office365-s2s.msedge.net/ab
Source: 9297CC53-F8BD-4F4A-9418-01A4E8653192.0.drString found in binary or memory: https://odc.officeapps.live.com/odc/stat/images/OneDriveUpsell.png
Source: 9297CC53-F8BD-4F4A-9418-01A4E8653192.0.drString found in binary or memory: https://odc.officeapps.live.com/odc/xml?resource=OneDriveSignUpUpsell
Source: 9297CC53-F8BD-4F4A-9418-01A4E8653192.0.drString found in binary or memory: https://odc.officeapps.live.com/odc/xml?resource=OneDriveSyncClientUpsell
Source: 9297CC53-F8BD-4F4A-9418-01A4E8653192.0.drString found in binary or memory: https://ods-diagnostics-ppe.trafficmanager.net
Source: 9297CC53-F8BD-4F4A-9418-01A4E8653192.0.drString found in binary or memory: https://ofcrecsvcapi-int.azurewebsites.net/
Source: 9297CC53-F8BD-4F4A-9418-01A4E8653192.0.drString found in binary or memory: https://officeapps.live.com
Source: 9297CC53-F8BD-4F4A-9418-01A4E8653192.0.drString found in binary or memory: https://officeci.azurewebsites.net/api/
Source: 9297CC53-F8BD-4F4A-9418-01A4E8653192.0.drString found in binary or memory: https://officemobile.uservoice.com/forums/929800-office-app-ios-and-ipad-asks
Source: 9297CC53-F8BD-4F4A-9418-01A4E8653192.0.drString found in binary or memory: https://officepyservice.office.net/
Source: 9297CC53-F8BD-4F4A-9418-01A4E8653192.0.drString found in binary or memory: https://officepyservice.office.net/service.functionality
Source: 9297CC53-F8BD-4F4A-9418-01A4E8653192.0.drString found in binary or memory: https://officesetup.getmicrosoftkey.com
Source: 9297CC53-F8BD-4F4A-9418-01A4E8653192.0.drString found in binary or memory: https://ogma.osi.office.net/TradukoApi/api/v1.0/
Source: 9297CC53-F8BD-4F4A-9418-01A4E8653192.0.drString found in binary or memory: https://omex.cdn.office.net/addinclassifier/officeentities
Source: 9297CC53-F8BD-4F4A-9418-01A4E8653192.0.drString found in binary or memory: https://omex.cdn.office.net/addinclassifier/officeentitiesupdated
Source: 9297CC53-F8BD-4F4A-9418-01A4E8653192.0.drString found in binary or memory: https://omex.cdn.office.net/addinclassifier/officesharedentities
Source: 9297CC53-F8BD-4F4A-9418-01A4E8653192.0.drString found in binary or memory: https://omex.cdn.office.net/addinclassifier/officesharedentitiesupdated
Source: 9297CC53-F8BD-4F4A-9418-01A4E8653192.0.drString found in binary or memory: https://onedrive.live.com
Source: 9297CC53-F8BD-4F4A-9418-01A4E8653192.0.drString found in binary or memory: https://onedrive.live.com/about/download/?windows10SyncClientInstalled=false
Source: 9297CC53-F8BD-4F4A-9418-01A4E8653192.0.drString found in binary or memory: https://onedrive.live.com/embed?
Source: 9297CC53-F8BD-4F4A-9418-01A4E8653192.0.drString found in binary or memory: https://otelrules.azureedge.net
Source: 9297CC53-F8BD-4F4A-9418-01A4E8653192.0.drString found in binary or memory: https://otelrules.svc.static.microsoft
Source: 9297CC53-F8BD-4F4A-9418-01A4E8653192.0.drString found in binary or memory: https://outlook.office.com
Source: 9297CC53-F8BD-4F4A-9418-01A4E8653192.0.drString found in binary or memory: https://outlook.office.com/
Source: 9297CC53-F8BD-4F4A-9418-01A4E8653192.0.drString found in binary or memory: https://outlook.office.com/autosuggest/api/v1/init?cvid=
Source: 9297CC53-F8BD-4F4A-9418-01A4E8653192.0.drString found in binary or memory: https://outlook.office365.com
Source: 9297CC53-F8BD-4F4A-9418-01A4E8653192.0.drString found in binary or memory: https://outlook.office365.com/
Source: 9297CC53-F8BD-4F4A-9418-01A4E8653192.0.drString found in binary or memory: https://outlook.office365.com/api/v1.0/me/Activities
Source: 9297CC53-F8BD-4F4A-9418-01A4E8653192.0.drString found in binary or memory: https://outlook.office365.com/autodiscover/autodiscover.json
Source: 9297CC53-F8BD-4F4A-9418-01A4E8653192.0.drString found in binary or memory: https://outlook.office365.com/connectors
Source: 9297CC53-F8BD-4F4A-9418-01A4E8653192.0.drString found in binary or memory: https://ovisualuiapp.azurewebsites.net/pbiagave/
Source: 9297CC53-F8BD-4F4A-9418-01A4E8653192.0.drString found in binary or memory: https://pages.store.office.com/appshome.aspx?productgroup=Outlook
Source: 9297CC53-F8BD-4F4A-9418-01A4E8653192.0.drString found in binary or memory: https://pages.store.office.com/review/query
Source: 9297CC53-F8BD-4F4A-9418-01A4E8653192.0.drString found in binary or memory: https://pages.store.office.com/webapplandingpage.aspx
Source: 9297CC53-F8BD-4F4A-9418-01A4E8653192.0.drString found in binary or memory: https://partnerservices.getmicrosoftkey.com/PartnerProvisioning.svc/v1/subscriptions
Source: 9297CC53-F8BD-4F4A-9418-01A4E8653192.0.drString found in binary or memory: https://pf.directory.live.com/profile/mine/System.ShortCircuitProfile.json
Source: 9297CC53-F8BD-4F4A-9418-01A4E8653192.0.drString found in binary or memory: https://pf.directory.live.com/profile/mine/WLX.Profiles.IC.json
Source: 9297CC53-F8BD-4F4A-9418-01A4E8653192.0.drString found in binary or memory: https://portal.office.com/account/?ref=ClientMeControl
Source: 9297CC53-F8BD-4F4A-9418-01A4E8653192.0.drString found in binary or memory: https://posarprodcssservice.accesscontrol.windows.net/v2/OAuth2-13
Source: 9297CC53-F8BD-4F4A-9418-01A4E8653192.0.drString found in binary or memory: https://powerlift-frontdesk.acompli.net
Source: 9297CC53-F8BD-4F4A-9418-01A4E8653192.0.drString found in binary or memory: https://powerlift.acompli.net
Source: 9297CC53-F8BD-4F4A-9418-01A4E8653192.0.drString found in binary or memory: https://powerpoint.uservoice.com/forums/288952-powerpoint-for-ipad-iphone-ios
Source: 9297CC53-F8BD-4F4A-9418-01A4E8653192.0.drString found in binary or memory: https://prod-global-autodetect.acompli.net/autodetect
Source: 9297CC53-F8BD-4F4A-9418-01A4E8653192.0.drString found in binary or memory: https://prod.mds.office.com/mds/api/v1.0/clientmodeldirectory
Source: 9297CC53-F8BD-4F4A-9418-01A4E8653192.0.drString found in binary or memory: https://pushchannel.1drv.ms
Source: 9297CC53-F8BD-4F4A-9418-01A4E8653192.0.drString found in binary or memory: https://r4.res.office365.com/footprintconfig/v1.7/scripts/fpconfig.json
Source: 9297CC53-F8BD-4F4A-9418-01A4E8653192.0.drString found in binary or memory: https://res.cdn.office.net
Source: 9297CC53-F8BD-4F4A-9418-01A4E8653192.0.drString found in binary or memory: https://res.cdn.office.net/mro1cdnstorage/fonts/prod/4.40
Source: 9297CC53-F8BD-4F4A-9418-01A4E8653192.0.drString found in binary or memory: https://res.cdn.office.net/polymer/models
Source: 9297CC53-F8BD-4F4A-9418-01A4E8653192.0.drString found in binary or memory: https://res.getmicrosoftkey.com/api/redemptionevents
Source: 9297CC53-F8BD-4F4A-9418-01A4E8653192.0.drString found in binary or memory: https://rpsticket.partnerservices.getmicrosoftkey.com
Source: 9297CC53-F8BD-4F4A-9418-01A4E8653192.0.drString found in binary or memory: https://safelinks.protection.outlook.com/api/GetPolicy
Source: 9297CC53-F8BD-4F4A-9418-01A4E8653192.0.drString found in binary or memory: https://service.officepy.microsoftusercontent.com/
Source: 9297CC53-F8BD-4F4A-9418-01A4E8653192.0.drString found in binary or memory: https://service.powerapps.com
Source: 9297CC53-F8BD-4F4A-9418-01A4E8653192.0.drString found in binary or memory: https://settings.outlook.com
Source: 9297CC53-F8BD-4F4A-9418-01A4E8653192.0.drString found in binary or memory: https://shell.suite.office.com:1443
Source: 9297CC53-F8BD-4F4A-9418-01A4E8653192.0.drString found in binary or memory: https://skyapi.live.net/Activity/
Source: 9297CC53-F8BD-4F4A-9418-01A4E8653192.0.drString found in binary or memory: https://sr.outlook.office.net/ws/speech/recognize/assistant/work
Source: 9297CC53-F8BD-4F4A-9418-01A4E8653192.0.drString found in binary or memory: https://staging.cortana.ai
Source: 9297CC53-F8BD-4F4A-9418-01A4E8653192.0.drString found in binary or memory: https://storage.live.com/clientlogs/uploadlocation
Source: 9297CC53-F8BD-4F4A-9418-01A4E8653192.0.drString found in binary or memory: https://store.office.cn/addinstemplate
Source: 9297CC53-F8BD-4F4A-9418-01A4E8653192.0.drString found in binary or memory: https://store.office.de/addinstemplate
Source: 9297CC53-F8BD-4F4A-9418-01A4E8653192.0.drString found in binary or memory: https://substrate.office.com
Source: 9297CC53-F8BD-4F4A-9418-01A4E8653192.0.drString found in binary or memory: https://substrate.office.com/Notes-Internal.ReadWrite
Source: 9297CC53-F8BD-4F4A-9418-01A4E8653192.0.drString found in binary or memory: https://substrate.office.com/search/api/v1/SearchHistory
Source: 9297CC53-F8BD-4F4A-9418-01A4E8653192.0.drString found in binary or memory: https://substrate.office.com/search/api/v2/init
Source: 9297CC53-F8BD-4F4A-9418-01A4E8653192.0.drString found in binary or memory: https://syncservice.protection.outlook.com/PolicySync/PolicySync.svc/SyncFile
Source: 9297CC53-F8BD-4F4A-9418-01A4E8653192.0.drString found in binary or memory: https://tasks.office.com
Source: 9297CC53-F8BD-4F4A-9418-01A4E8653192.0.drString found in binary or memory: https://templatesmetadata.office.net/
Source: 9297CC53-F8BD-4F4A-9418-01A4E8653192.0.drString found in binary or memory: https://uci.cdn.office.net/mirrored/smartlookup/current/
Source: 9297CC53-F8BD-4F4A-9418-01A4E8653192.0.drString found in binary or memory: https://uci.officeapps.live.com/OfficeInsights/web/views/insights.desktop.html
Source: 9297CC53-F8BD-4F4A-9418-01A4E8653192.0.drString found in binary or memory: https://uci.officeapps.live.com/OfficeInsights/web/views/insights.immersive.html
Source: ~WRS{9DCC211D-EAC1-4E74-A6A2-9A6277738163}.tmp.0.drString found in binary or memory: https://ucix-global.ups.com/customer/auth?uid=23734b88-3a5c-4457-e063-eeb1869c23d9&tId=80674570-24db
Source: 9297CC53-F8BD-4F4A-9418-01A4E8653192.0.drString found in binary or memory: https://useraudit.o365auditrealtimeingestion.manage.office.com
Source: 9297CC53-F8BD-4F4A-9418-01A4E8653192.0.drString found in binary or memory: https://visio.uservoice.com/forums/368202-visio-on-devices
Source: 9297CC53-F8BD-4F4A-9418-01A4E8653192.0.drString found in binary or memory: https://web.microsoftstream.com/video/
Source: 9297CC53-F8BD-4F4A-9418-01A4E8653192.0.drString found in binary or memory: https://webdir.online.lync.com/autodiscover/autodiscoverservice.svc/root/
Source: 9297CC53-F8BD-4F4A-9418-01A4E8653192.0.drString found in binary or memory: https://webshell.suite.office.com
Source: Fwd UPS Needs Info for Customs Clearance - 1Z8809676740430639.msg, ~WRS{9DCC211D-EAC1-4E74-A6A2-9A6277738163}.tmp.0.drString found in binary or memory: https://whatisworkspaceone.com/boxer
Source: 9297CC53-F8BD-4F4A-9418-01A4E8653192.0.drString found in binary or memory: https://word-edit.officeapps.live.com/we/rrdiscovery.ashx
Source: 9297CC53-F8BD-4F4A-9418-01A4E8653192.0.drString found in binary or memory: https://word.uservoice.com/forums/304948-word-for-ipad-iphone-ios
Source: 9297CC53-F8BD-4F4A-9418-01A4E8653192.0.drString found in binary or memory: https://wus2.contentsync.
Source: 9297CC53-F8BD-4F4A-9418-01A4E8653192.0.drString found in binary or memory: https://wus2.pagecontentsync.
Source: 9297CC53-F8BD-4F4A-9418-01A4E8653192.0.drString found in binary or memory: https://www.bingapis.com/api/v7/urlpreview/search?appid=E93048236FE27D972F67C5AF722136866DF65FA2
Source: 9297CC53-F8BD-4F4A-9418-01A4E8653192.0.drString found in binary or memory: https://www.odwebp.svc.ms
Source: ~WRS{9DCC211D-EAC1-4E74-A6A2-9A6277738163}.tmp.0.drString found in binary or memory: https://www.ups.com/assets/resources/images/UPS_logo.png
Source: 9297CC53-F8BD-4F4A-9418-01A4E8653192.0.drString found in binary or memory: https://www.yammer.com
Source: classification engineClassification label: clean1.winMSG@3/17@0/0
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEFile created: C:\Users\user\Documents\Outlook Files\~Outlook Data File - NoEmail.pst.tmpJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEFile created: C:\Users\user\AppData\Local\Temp\Outlook Logging\OUTLOOK_16_0_16827_20130-20241002T1320240371-6220.etlJump to behavior
Source: unknownProcess created: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE "C:\Program Files (x86)\Microsoft Office\Root\Office16\OUTLOOK.EXE" /f "C:\Users\user\Desktop\Fwd UPS Needs Info for Customs Clearance - 1Z8809676740430639.msg"
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess created: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Office16\ai.exe "C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Office16\ai.exe" "02BC0F51-100C-414A-86A8-520306ED225E" "CCF64258-7661-4EF1-9DDE-0E2313AFEAB8" "6220" "C:\Program Files (x86)\Microsoft Office\Root\Office16\OUTLOOK.EXE" "WordCombinedFloatieLreOnline.onnx"
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess created: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Office16\ai.exe "C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Office16\ai.exe" "02BC0F51-100C-414A-86A8-520306ED225E" "CCF64258-7661-4EF1-9DDE-0E2313AFEAB8" "6220" "C:\Program Files (x86)\Microsoft Office\Root\Office16\OUTLOOK.EXE" "WordCombinedFloatieLreOnline.onnx"Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Office16\ai.exeSection loaded: apphelp.dllJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Office16\ai.exeSection loaded: c2r64.dllJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Office16\ai.exeSection loaded: userenv.dllJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Office16\ai.exeSection loaded: msasn1.dllJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Office16\ai.exeSection loaded: kernel.appcore.dllJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Office16\ai.exeSection loaded: cryptsp.dllJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Office16\ai.exeSection loaded: rsaenh.dllJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Office16\ai.exeSection loaded: cryptbase.dllJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Office16\ai.exeSection loaded: gpapi.dllJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Office\ClickToRun\REGISTRY\MACHINE\Software\Classes\Wow6432Node\CLSID\{F959DBBB-3867-41F2-8E5F-3B8BEFAA81B3}\InprocServer32Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEWindow found: window name: SysTabControl32Jump to behavior
Source: Window RecorderWindow detected: More than 3 window changes detected
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEKey opened: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Office\CommonJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEKey value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\3F728A35DE52B2C8994A4FB101A03B95E87B06C8 BlobJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Office16\ai.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEFile Volume queried: C:\Windows\SysWOW64 FullSizeInformationJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information queried: ProcessInformationJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Office16\ai.exeQueries volume information: C:\Program Files (x86)\Microsoft Office\root\Office16\AI\WordCombinedFloatieLreOnline.onnx VolumeInformationJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Office16\ai.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuidJump to behavior

Mitre Att&ck Matrix

ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
Gather Victim Identity InformationAcquire InfrastructureValid AccountsWindows Management Instrumentation1
DLL Side-Loading		1
Process Injection		1
Masquerading		OS Credential Dumping1
Process Discovery		Remote ServicesData from Local SystemData ObfuscationExfiltration Over Other Network MediumAbuse Accessibility Features
CredentialsDomainsDefault AccountsScheduled Task/JobBoot or Logon Initialization Scripts1
DLL Side-Loading		1
Modify Registry		LSASS Memory13
System Information Discovery		Remote Desktop ProtocolData from Removable MediaJunk DataExfiltration Over BluetoothNetwork Denial of Service
Email AddressesDNS ServerDomain AccountsAtLogon Script (Windows)Logon Script (Windows)1
Process Injection		Security Account ManagerQuery RegistrySMB/Windows Admin SharesData from Network Shared DriveSteganographyAutomated ExfiltrationData Encrypted for Impact
Employee NamesVirtual Private ServerLocal AccountsCronLogin HookLogin Hook1
DLL Side-Loading		NTDSSystem Network Configuration DiscoveryDistributed Component Object ModelInput CaptureProtocol ImpersonationTraffic DuplicationData Destruction

Behavior Graph

Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 process2 2 Behavior Graph ID: 1524433 Sample: Fwd UPS Needs Info for Cust... Startdate: 02/10/2024 Architecture: WINDOWS Score: 1 5 OUTLOOK.EXE 64 137 2->5         started        process3 7 ai.exe 5->7         started       

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.


windows-stand

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

No Antivirus matches

Dropped Files

No Antivirus matches

Unpacked PE Files

No Antivirus matches

Domains

No Antivirus matches

URLs

SourceDetectionScannerLabelLink
https://api.diagnosticssdf.office.com0%URL Reputationsafe
https://login.microsoftonline.com/0%URL Reputationsafe
https://shell.suite.office.com:14430%URL Reputationsafe
https://designerapp.azurewebsites.net0%URL Reputationsafe
https://login.windows.net/72f988bf-86f1-41af-91ab-2d7cd011db47/oauth2/authorize0%URL Reputationsafe
https://autodiscover-s.outlook.com/0%URL Reputationsafe
https://useraudit.o365auditrealtimeingestion.manage.office.com0%URL Reputationsafe
https://outlook.office365.com/connectors0%URL Reputationsafe
https://insertmedia.bing.office.net/images/officeonlinecontent/browse?cp=Flickr0%URL Reputationsafe
https://cdn.entity.0%URL Reputationsafe
https://api.addins.omex.office.net/appinfo/query0%URL Reputationsafe
https://clients.config.office.net/user/v1.0/tenantassociationkey0%URL Reputationsafe
https://dev.virtualearth.net/REST/V1/GeospatialEndpoint/0%URL Reputationsafe
https://powerlift.acompli.net0%URL Reputationsafe
https://rpsticket.partnerservices.getmicrosoftkey.com0%URL Reputationsafe
https://lookup.onenote.com/lookup/geolocation/v10%URL Reputationsafe
https://cortana.ai0%URL Reputationsafe
https://apc.learningtools.onenote.com/learningtoolsapi/v2.0/getfreeformspeech0%URL Reputationsafe
https://api.powerbi.com/v1.0/myorg/imports0%URL Reputationsafe
https://cloudfiles.onenote.com/upload.aspx0%URL Reputationsafe
https://syncservice.protection.outlook.com/PolicySync/PolicySync.svc/SyncFile0%URL Reputationsafe
https://entitlement.diagnosticssdf.office.com0%URL Reputationsafe
https://api.aadrm.com/0%URL Reputationsafe
https://ofcrecsvcapi-int.azurewebsites.net/0%URL Reputationsafe
https://canary.designerapp.0%URL Reputationsafe
https://ic3.teams.office.com0%URL Reputationsafe
https://www.yammer.com0%URL Reputationsafe
https://dataservice.protection.outlook.com/PsorWebService/v1/ClientSyncFile/MipPolicies0%URL Reputationsafe
https://insertmedia.bing.office.net/images/hosted?host=office&adlt=strict&hostType=Immersive0%URL Reputationsafe
https://cr.office.com0%URL Reputationsafe
https://messagebroker.mobile.m365.svc.cloud.microsoft0%URL Reputationsafe
https://portal.office.com/account/?ref=ClientMeControl0%URL Reputationsafe
https://clients.config.office.net/c2r/v1.0/DeltaAdvisory0%URL Reputationsafe
https://edge.skype.com/registrar/prod0%URL Reputationsafe
https://graph.ppe.windows.net0%URL Reputationsafe
https://res.getmicrosoftkey.com/api/redemptionevents0%URL Reputationsafe
https://powerlift-frontdesk.acompli.net0%URL Reputationsafe
https://tasks.office.com0%URL Reputationsafe
https://officeci.azurewebsites.net/api/0%URL Reputationsafe
https://sr.outlook.office.net/ws/speech/recognize/assistant/work0%URL Reputationsafe
https://api.scheduler.0%URL Reputationsafe
https://store.office.cn/addinstemplate0%URL Reputationsafe
https://api.aadrm.com0%URL Reputationsafe
https://edge.skype.com/rps0%URL Reputationsafe
https://globaldisco.crm.dynamics.com0%URL Reputationsafe
https://messaging.engagement.office.com/0%URL Reputationsafe
https://nam.learningtools.onenote.com/learningtoolsapi/v2.0/getfreeformspeech0%URL Reputationsafe
https://dev0-api.acompli.net/autodetect0%URL Reputationsafe
https://www.odwebp.svc.ms0%URL Reputationsafe
https://api.diagnosticssdf.office.com/v2/feedback0%URL Reputationsafe
https://api.powerbi.com/v1.0/myorg/groups0%URL Reputationsafe
https://web.microsoftstream.com/video/0%URL Reputationsafe
https://api.addins.store.officeppe.com/addinstemplate0%URL Reputationsafe
https://graph.windows.net0%URL Reputationsafe
https://dataservice.o365filtering.com/0%URL Reputationsafe
https://officesetup.getmicrosoftkey.com0%URL Reputationsafe
https://analysis.windows.net/powerbi/api0%URL Reputationsafe
https://prod-global-autodetect.acompli.net/autodetect0%URL Reputationsafe
https://substrate.office.com0%URL Reputationsafe
https://outlook.office365.com/autodiscover/autodiscover.json0%URL Reputationsafe
https://powerpoint.uservoice.com/forums/288952-powerpoint-for-ipad-iphone-ios0%URL Reputationsafe
https://consent.config.office.com/consentcheckin/v1.0/consents0%URL Reputationsafe
https://eur.learningtools.onenote.com/learningtoolsapi/v2.0/getfreeformspeech0%URL Reputationsafe
https://learningtools.onenote.com/learningtoolsapi/v2.0/Getvoices0%URL Reputationsafe
https://pf.directory.live.com/profile/mine/System.ShortCircuitProfile.json0%URL Reputationsafe
https://safelinks.protection.outlook.com/api/GetPolicy0%URL Reputationsafe
https://ncus.contentsync.0%URL Reputationsafe
https://webdir.online.lync.com/autodiscover/autodiscoverservice.svc/root/0%URL Reputationsafe
http://weather.service.msn.com/data.aspx0%URL Reputationsafe
https://apis.live.net/v5.0/0%URL Reputationsafe
https://officepyservice.office.net/service.functionality0%URL Reputationsafe
https://officemobile.uservoice.com/forums/929800-office-app-ios-and-ipad-asks0%URL Reputationsafe
https://templatesmetadata.office.net/0%URL Reputationsafe
https://word.uservoice.com/forums/304948-word-for-ipad-iphone-ios0%URL Reputationsafe
https://messaging.lifecycle.office.com/0%URL Reputationsafe
https://autodiscover-s.outlook.com/autodiscover/autodiscover.xml0%URL Reputationsafe
https://mss.office.com0%URL Reputationsafe
https://pushchannel.1drv.ms0%URL Reputationsafe
https://management.azure.com0%URL Reputationsafe
https://outlook.office365.com0%URL Reputationsafe
https://wus2.contentsync.0%URL Reputationsafe
https://incidents.diagnostics.office.com0%URL Reputationsafe
https://clients.config.office.net/user/v1.0/ios0%URL Reputationsafe
https://make.powerautomate.com0%URL Reputationsafe
https://api.addins.omex.office.net/api/addins/search0%URL Reputationsafe
https://insertmedia.bing.office.net/odc/insertmedia0%URL Reputationsafe
https://outlook.office365.com/api/v1.0/me/Activities0%URL Reputationsafe
https://api.office.net0%URL Reputationsafe
https://incidents.diagnosticssdf.office.com0%URL Reputationsafe
https://asgsmsproxyapi.azurewebsites.net/0%URL Reputationsafe
https://clients.config.office.net/user/v1.0/android/policies0%URL Reputationsafe

Domains and IPs

Contacted Domains

No contacted domains info

URLs from Memory and Binaries

NameSourceMaliciousAntivirus DetectionReputation
https://api.diagnosticssdf.office.com9297CC53-F8BD-4F4A-9418-01A4E8653192.0.drfalse
  • URL Reputation: safe
unknown
https://login.microsoftonline.com/9297CC53-F8BD-4F4A-9418-01A4E8653192.0.drfalse
  • URL Reputation: safe
unknown
https://shell.suite.office.com:14439297CC53-F8BD-4F4A-9418-01A4E8653192.0.drfalse
  • URL Reputation: safe
unknown
https://designerapp.azurewebsites.net9297CC53-F8BD-4F4A-9418-01A4E8653192.0.drfalse
  • URL Reputation: safe
unknown
https://login.windows.net/72f988bf-86f1-41af-91ab-2d7cd011db47/oauth2/authorize9297CC53-F8BD-4F4A-9418-01A4E8653192.0.drfalse
  • URL Reputation: safe
unknown
https://autodiscover-s.outlook.com/9297CC53-F8BD-4F4A-9418-01A4E8653192.0.drfalse
  • URL Reputation: safe
unknown
https://useraudit.o365auditrealtimeingestion.manage.office.com9297CC53-F8BD-4F4A-9418-01A4E8653192.0.drfalse
  • URL Reputation: safe
unknown
https://outlook.office365.com/connectors9297CC53-F8BD-4F4A-9418-01A4E8653192.0.drfalse
  • URL Reputation: safe
unknown
https://insertmedia.bing.office.net/images/officeonlinecontent/browse?cp=Flickr9297CC53-F8BD-4F4A-9418-01A4E8653192.0.drfalse
  • URL Reputation: safe
unknown
https://cdn.entity.9297CC53-F8BD-4F4A-9418-01A4E8653192.0.drfalse
  • URL Reputation: safe
unknown
https://api.addins.omex.office.net/appinfo/query9297CC53-F8BD-4F4A-9418-01A4E8653192.0.drfalse
  • URL Reputation: safe
unknown
https://clients.config.office.net/user/v1.0/tenantassociationkey9297CC53-F8BD-4F4A-9418-01A4E8653192.0.drfalse
  • URL Reputation: safe
unknown
https://dev.virtualearth.net/REST/V1/GeospatialEndpoint/9297CC53-F8BD-4F4A-9418-01A4E8653192.0.drfalse
  • URL Reputation: safe
unknown
https://powerlift.acompli.net9297CC53-F8BD-4F4A-9418-01A4E8653192.0.drfalse
  • URL Reputation: safe
unknown
https://rpsticket.partnerservices.getmicrosoftkey.com9297CC53-F8BD-4F4A-9418-01A4E8653192.0.drfalse
  • URL Reputation: safe
unknown
https://lookup.onenote.com/lookup/geolocation/v19297CC53-F8BD-4F4A-9418-01A4E8653192.0.drfalse
  • URL Reputation: safe
unknown
https://cortana.ai9297CC53-F8BD-4F4A-9418-01A4E8653192.0.drfalse
  • URL Reputation: safe
unknown
https://apc.learningtools.onenote.com/learningtoolsapi/v2.0/getfreeformspeech9297CC53-F8BD-4F4A-9418-01A4E8653192.0.drfalse
  • URL Reputation: safe
unknown
https://api.powerbi.com/v1.0/myorg/imports9297CC53-F8BD-4F4A-9418-01A4E8653192.0.drfalse
  • URL Reputation: safe
unknown
https://whatisworkspaceone.com/boxerFwd UPS Needs Info for Customs Clearance - 1Z8809676740430639.msg, ~WRS{9DCC211D-EAC1-4E74-A6A2-9A6277738163}.tmp.0.drfalse
    		unknown
    https://cloudfiles.onenote.com/upload.aspx9297CC53-F8BD-4F4A-9418-01A4E8653192.0.drfalse
    • URL Reputation: safe
    		unknown
    https://syncservice.protection.outlook.com/PolicySync/PolicySync.svc/SyncFile9297CC53-F8BD-4F4A-9418-01A4E8653192.0.drfalse
    • URL Reputation: safe
    		unknown
    https://entitlement.diagnosticssdf.office.com9297CC53-F8BD-4F4A-9418-01A4E8653192.0.drfalse
    • URL Reputation: safe
    		unknown
    https://api.aadrm.com/9297CC53-F8BD-4F4A-9418-01A4E8653192.0.drfalse
    • URL Reputation: safe
    		unknown
    https://ofcrecsvcapi-int.azurewebsites.net/9297CC53-F8BD-4F4A-9418-01A4E8653192.0.drfalse
    • URL Reputation: safe
    		unknown
    https://canary.designerapp.9297CC53-F8BD-4F4A-9418-01A4E8653192.0.drfalse
    • URL Reputation: safe
    		unknown
    https://ic3.teams.office.com9297CC53-F8BD-4F4A-9418-01A4E8653192.0.drfalse
    • URL Reputation: safe
    		unknown
    https://www.yammer.com9297CC53-F8BD-4F4A-9418-01A4E8653192.0.drfalse
    • URL Reputation: safe
    		unknown
    https://dataservice.protection.outlook.com/PsorWebService/v1/ClientSyncFile/MipPolicies9297CC53-F8BD-4F4A-9418-01A4E8653192.0.drfalse
    • URL Reputation: safe
    		unknown
    https://api.microsoftstream.com/api/9297CC53-F8BD-4F4A-9418-01A4E8653192.0.drfalse
      		unknown
      https://insertmedia.bing.office.net/images/hosted?host=office&adlt=strict&hostType=Immersive9297CC53-F8BD-4F4A-9418-01A4E8653192.0.drfalse
      • URL Reputation: safe
      		unknown
      https://cr.office.com9297CC53-F8BD-4F4A-9418-01A4E8653192.0.drfalse
      • URL Reputation: safe
      		unknown
      https://augloop.office.com;https://augloop-int.officeppe.com;https://augloop-dogfood.officeppe.com;h9297CC53-F8BD-4F4A-9418-01A4E8653192.0.drfalse
        		unknown
        https://messagebroker.mobile.m365.svc.cloud.microsoft9297CC53-F8BD-4F4A-9418-01A4E8653192.0.drfalse
        • URL Reputation: safe
        		unknown
        https://otelrules.svc.static.microsoft9297CC53-F8BD-4F4A-9418-01A4E8653192.0.drfalse
          		unknown
          https://portal.office.com/account/?ref=ClientMeControl9297CC53-F8BD-4F4A-9418-01A4E8653192.0.drfalse
          • URL Reputation: safe
          		unknown
          https://clients.config.office.net/c2r/v1.0/DeltaAdvisory9297CC53-F8BD-4F4A-9418-01A4E8653192.0.drfalse
          • URL Reputation: safe
          		unknown
          https://edge.skype.com/registrar/prod9297CC53-F8BD-4F4A-9418-01A4E8653192.0.drfalse
          • URL Reputation: safe
          		unknown
          https://graph.ppe.windows.net9297CC53-F8BD-4F4A-9418-01A4E8653192.0.drfalse
          • URL Reputation: safe
          		unknown
          https://res.getmicrosoftkey.com/api/redemptionevents9297CC53-F8BD-4F4A-9418-01A4E8653192.0.drfalse
          • URL Reputation: safe
          		unknown
          https://powerlift-frontdesk.acompli.net9297CC53-F8BD-4F4A-9418-01A4E8653192.0.drfalse
          • URL Reputation: safe
          		unknown
          https://tasks.office.com9297CC53-F8BD-4F4A-9418-01A4E8653192.0.drfalse
          • URL Reputation: safe
          		unknown
          https://officeci.azurewebsites.net/api/9297CC53-F8BD-4F4A-9418-01A4E8653192.0.drfalse
          • URL Reputation: safe
          		unknown
          https://sr.outlook.office.net/ws/speech/recognize/assistant/work9297CC53-F8BD-4F4A-9418-01A4E8653192.0.drfalse
          • URL Reputation: safe
          		unknown
          https://api.scheduler.9297CC53-F8BD-4F4A-9418-01A4E8653192.0.drfalse
          • URL Reputation: safe
          		unknown
          https://my.microsoftpersonalcontent.com9297CC53-F8BD-4F4A-9418-01A4E8653192.0.drfalse
            		unknown
            https://store.office.cn/addinstemplate9297CC53-F8BD-4F4A-9418-01A4E8653192.0.drfalse
            • URL Reputation: safe
            		unknown
            https://api.aadrm.com9297CC53-F8BD-4F4A-9418-01A4E8653192.0.drfalse
            • URL Reputation: safe
            		unknown
            https://edge.skype.com/rps9297CC53-F8BD-4F4A-9418-01A4E8653192.0.drfalse
            • URL Reputation: safe
            		unknown
            https://outlook.office.com/autosuggest/api/v1/init?cvid=9297CC53-F8BD-4F4A-9418-01A4E8653192.0.drfalse
              		unknown
              https://globaldisco.crm.dynamics.com9297CC53-F8BD-4F4A-9418-01A4E8653192.0.drfalse
              • URL Reputation: safe
              		unknown
              https://messaging.engagement.office.com/9297CC53-F8BD-4F4A-9418-01A4E8653192.0.drfalse
              • URL Reputation: safe
              		unknown
              https://nam.learningtools.onenote.com/learningtoolsapi/v2.0/getfreeformspeech9297CC53-F8BD-4F4A-9418-01A4E8653192.0.drfalse
              • URL Reputation: safe
              		unknown
              https://dev0-api.acompli.net/autodetect9297CC53-F8BD-4F4A-9418-01A4E8653192.0.drfalse
              • URL Reputation: safe
              		unknown
              https://www.odwebp.svc.ms9297CC53-F8BD-4F4A-9418-01A4E8653192.0.drfalse
              • URL Reputation: safe
              		unknown
              https://api.diagnosticssdf.office.com/v2/feedback9297CC53-F8BD-4F4A-9418-01A4E8653192.0.drfalse
              • URL Reputation: safe
              		unknown
              https://api.powerbi.com/v1.0/myorg/groups9297CC53-F8BD-4F4A-9418-01A4E8653192.0.drfalse
              • URL Reputation: safe
              		unknown
              https://web.microsoftstream.com/video/9297CC53-F8BD-4F4A-9418-01A4E8653192.0.drfalse
              • URL Reputation: safe
              		unknown
              https://api.addins.store.officeppe.com/addinstemplate9297CC53-F8BD-4F4A-9418-01A4E8653192.0.drfalse
              • URL Reputation: safe
              		unknown
              https://graph.windows.net9297CC53-F8BD-4F4A-9418-01A4E8653192.0.drfalse
              • URL Reputation: safe
              		unknown
              https://dataservice.o365filtering.com/9297CC53-F8BD-4F4A-9418-01A4E8653192.0.drfalse
              • URL Reputation: safe
              		unknown
              https://officesetup.getmicrosoftkey.com9297CC53-F8BD-4F4A-9418-01A4E8653192.0.drfalse
              • URL Reputation: safe
              		unknown
              https://ucix-global.ups.com/customer/auth?uid=23734b88-3a5c-4457-e063-eeb1869c23d9&tId=80674570-24db~WRS{9DCC211D-EAC1-4E74-A6A2-9A6277738163}.tmp.0.drfalse
                		unknown
                https://analysis.windows.net/powerbi/api9297CC53-F8BD-4F4A-9418-01A4E8653192.0.drfalse
                • URL Reputation: safe
                		unknown
                https://prod-global-autodetect.acompli.net/autodetect9297CC53-F8BD-4F4A-9418-01A4E8653192.0.drfalse
                • URL Reputation: safe
                		unknown
                https://substrate.office.com9297CC53-F8BD-4F4A-9418-01A4E8653192.0.drfalse
                • URL Reputation: safe
                		unknown
                https://outlook.office365.com/autodiscover/autodiscover.json9297CC53-F8BD-4F4A-9418-01A4E8653192.0.drfalse
                • URL Reputation: safe
                		unknown
                https://powerpoint.uservoice.com/forums/288952-powerpoint-for-ipad-iphone-ios9297CC53-F8BD-4F4A-9418-01A4E8653192.0.drfalse
                • URL Reputation: safe
                		unknown
                https://consent.config.office.com/consentcheckin/v1.0/consents9297CC53-F8BD-4F4A-9418-01A4E8653192.0.drfalse
                • URL Reputation: safe
                		unknown
                https://eur.learningtools.onenote.com/learningtoolsapi/v2.0/getfreeformspeech9297CC53-F8BD-4F4A-9418-01A4E8653192.0.drfalse
                • URL Reputation: safe
                		unknown
                https://learningtools.onenote.com/learningtoolsapi/v2.0/Getvoices9297CC53-F8BD-4F4A-9418-01A4E8653192.0.drfalse
                • URL Reputation: safe
                		unknown
                https://pf.directory.live.com/profile/mine/System.ShortCircuitProfile.json9297CC53-F8BD-4F4A-9418-01A4E8653192.0.drfalse
                • URL Reputation: safe
                		unknown
                https://d.docs.live.net9297CC53-F8BD-4F4A-9418-01A4E8653192.0.drfalse
                  		unknown
                  https://safelinks.protection.outlook.com/api/GetPolicy9297CC53-F8BD-4F4A-9418-01A4E8653192.0.drfalse
                  • URL Reputation: safe
                  		unknown
                  https://ncus.contentsync.9297CC53-F8BD-4F4A-9418-01A4E8653192.0.drfalse
                  • URL Reputation: safe
                  		unknown
                  https://onedrive.live.com/about/download/?windows10SyncClientInstalled=false9297CC53-F8BD-4F4A-9418-01A4E8653192.0.drfalse
                    		unknown
                    https://webdir.online.lync.com/autodiscover/autodiscoverservice.svc/root/9297CC53-F8BD-4F4A-9418-01A4E8653192.0.drfalse
                    • URL Reputation: safe
                    		unknown
                    http://weather.service.msn.com/data.aspx9297CC53-F8BD-4F4A-9418-01A4E8653192.0.drfalse
                    • URL Reputation: safe
                    		unknown
                    https://apis.live.net/v5.0/9297CC53-F8BD-4F4A-9418-01A4E8653192.0.drfalse
                    • URL Reputation: safe
                    		unknown
                    https://officepyservice.office.net/service.functionality9297CC53-F8BD-4F4A-9418-01A4E8653192.0.drfalse
                    • URL Reputation: safe
                    		unknown
                    https://officemobile.uservoice.com/forums/929800-office-app-ios-and-ipad-asks9297CC53-F8BD-4F4A-9418-01A4E8653192.0.drfalse
                    • URL Reputation: safe
                    		unknown
                    https://templatesmetadata.office.net/9297CC53-F8BD-4F4A-9418-01A4E8653192.0.drfalse
                    • URL Reputation: safe
                    		unknown
                    https://word.uservoice.com/forums/304948-word-for-ipad-iphone-ios9297CC53-F8BD-4F4A-9418-01A4E8653192.0.drfalse
                    • URL Reputation: safe
                    		unknown
                    https://messaging.lifecycle.office.com/9297CC53-F8BD-4F4A-9418-01A4E8653192.0.drfalse
                    • URL Reputation: safe
                    		unknown
                    https://autodiscover-s.outlook.com/autodiscover/autodiscover.xml9297CC53-F8BD-4F4A-9418-01A4E8653192.0.drfalse
                    • URL Reputation: safe
                    		unknown
                    https://mss.office.com9297CC53-F8BD-4F4A-9418-01A4E8653192.0.drfalse
                    • URL Reputation: safe
                    		unknown
                    https://pushchannel.1drv.ms9297CC53-F8BD-4F4A-9418-01A4E8653192.0.drfalse
                    • URL Reputation: safe
                    		unknown
                    https://management.azure.com9297CC53-F8BD-4F4A-9418-01A4E8653192.0.drfalse
                    • URL Reputation: safe
                    		unknown
                    https://outlook.office365.com9297CC53-F8BD-4F4A-9418-01A4E8653192.0.drfalse
                    • URL Reputation: safe
                    		unknown
                    https://wus2.contentsync.9297CC53-F8BD-4F4A-9418-01A4E8653192.0.drfalse
                    • URL Reputation: safe
                    		unknown
                    https://incidents.diagnostics.office.com9297CC53-F8BD-4F4A-9418-01A4E8653192.0.drfalse
                    • URL Reputation: safe
                    		unknown
                    https://clients.config.office.net/user/v1.0/ios9297CC53-F8BD-4F4A-9418-01A4E8653192.0.drfalse
                    • URL Reputation: safe
                    		unknown
                    https://make.powerautomate.com9297CC53-F8BD-4F4A-9418-01A4E8653192.0.drfalse
                    • URL Reputation: safe
                    		unknown
                    https://api.addins.omex.office.net/api/addins/search9297CC53-F8BD-4F4A-9418-01A4E8653192.0.drfalse
                    • URL Reputation: safe
                    		unknown
                    https://insertmedia.bing.office.net/odc/insertmedia9297CC53-F8BD-4F4A-9418-01A4E8653192.0.drfalse
                    • URL Reputation: safe
                    		unknown
                    https://outlook.office365.com/api/v1.0/me/Activities9297CC53-F8BD-4F4A-9418-01A4E8653192.0.drfalse
                    • URL Reputation: safe
                    		unknown
                    https://api.office.net9297CC53-F8BD-4F4A-9418-01A4E8653192.0.drfalse
                    • URL Reputation: safe
                    		unknown
                    https://incidents.diagnosticssdf.office.com9297CC53-F8BD-4F4A-9418-01A4E8653192.0.drfalse
                    • URL Reputation: safe
                    		unknown
                    https://asgsmsproxyapi.azurewebsites.net/9297CC53-F8BD-4F4A-9418-01A4E8653192.0.drfalse
                    • URL Reputation: safe
                    		unknown
                    https://clients.config.office.net/user/v1.0/android/policies9297CC53-F8BD-4F4A-9418-01A4E8653192.0.drfalse
                    • URL Reputation: safe
                    		unknown

                    World Map of Contacted IPs

                    No contacted IP infos

                    General Information

                    Joe Sandbox version:41.0.0 Charoite
                    Analysis ID:1524433
                    Start date and time:2024-10-02 19:19:10 +02:00
                    Joe Sandbox product:CloudBasic
                    Overall analysis duration:0h 4m 39s
                    Hypervisor based Inspection enabled:false
                    Report type:full
                    Cookbook file name:default.jbs
                    Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
                    Number of analysed new started processes analysed:10
                    Number of new started drivers analysed:0
                    Number of existing processes analysed:0
                    Number of existing drivers analysed:0
                    Number of injected processes analysed:0
                    Technologies:
                    • HCA enabled
                    • EGA enabled
                    • AMSI enabled
                    Analysis Mode:default
                    Analysis stop reason:Timeout
                    Sample name:Fwd UPS Needs Info for Customs Clearance - 1Z8809676740430639.msg
                    Detection:CLEAN
                    Classification:clean1.winMSG@3/17@0/0
                    EGA Information:Failed
                    HCA Information:
                    • Successful, ratio: 100%
                    • Number of executed functions: 0
                    • Number of non-executed functions: 0
                    Cookbook Comments:
                    • Found application associated with file extension: .msg

                    Warnings

                    • Exclude process from analysis (whitelisted): MpCmdRun.exe, dllhost.exe, WMIADAP.exe, SIHClient.exe, conhost.exe, svchost.exe
                    • Excluded IPs from analysis (whitelisted): 52.109.28.46, 52.113.194.132, 2.19.126.151, 2.19.126.160, 52.168.117.171
                    • Excluded domains from analysis (whitelisted): ecs.office.com, omex.cdn.office.net, slscr.update.microsoft.com, prod.configsvc1.live.com.akadns.net, s-0005-office.config.skype.com, mobile.events.data.microsoft.com, fe3cr.delivery.mp.microsoft.com, ecs-office.s-0005.s-msedge.net, login.live.com, s-0005.s-msedge.net, config.officeapps.live.com, onedscolprdeus16.eastus.cloudapp.azure.com, officeclient.microsoft.com, ecs.office.trafficmanager.net, omex.cdn.office.net.akamaized.net, europe.configsvc1.live.com.akadns.net, mobile.events.data.trafficmanager.net, uks-azsc-config.officeapps.live.com, a1864.dscd.akamai.net
                    • Not all processes where analyzed, report is missing behavior information
                    • Report size getting too big, too many NtQueryAttributesFile calls found.
                    • Report size getting too big, too many NtQueryValueKey calls found.
                    • Report size getting too big, too many NtReadVirtualMemory calls found.
                    • VT rate limit hit for: Fwd UPS Needs Info for Customs Clearance - 1Z8809676740430639.msg

                    Simulations

                    Behavior and APIs

                    No simulations

                    Joe Sandbox View / Context

                    IPs

                    No context

                    Domains

                    No context

                    ASNs

                    No context

                    JA3 Fingerprints

                    No context

                    Dropped Files

                    No context

                    Created / dropped Files

                    C:\Users\user\AppData\Local\Microsoft\FORMS\FRMCACHE.DAT

                    Download File
                    Process:C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE
                    File Type:data
                    Category:dropped
                    Size (bytes):231348
                    Entropy (8bit):4.388281505685991
                    Encrypted:false
                    SSDEEP:1536:uRYLu7gshlpBhK4vYgsQdNcAz79ysQqt2f3UbqoQJercm0FvVqAwyJhdAlD9piKK:xKgOongXmiGu2kqoQsrt0Fvd5Yq93+Qp
                    MD5:EEC819A03597EE9C3AA0EF24D5C47879
                    SHA1:F5E0DD59B2563E7A0426CC4A0D3E9163BB4A7066
                    SHA-256:CF2E510F481BDD72D6730EBA2CBF182D74EDB8B91636FBB9BA6ABDFC20BDB344
                    SHA-512:0A894FAA4E8DF1F9A92EFE91B18545CB2E547BE4C99A6B2369710BB8C92EF9C43C41788C1710C28032C088FDBC5BD8133338AAD8F0F27D018B3BCE72CC8BE9E5
                    Malicious:false
                    Reputation:low
                    Preview:TH02...... ...[P........SM01X...,....OP............IPM.Activity...........h...............h............H..h.Y......v.u...h........pk..H..h\tin ...pDat...hh...0...H.Y....h>o|............h........_`3k...hBp|.@...I.Rw...h....H...8.8k...0....T...............d.........2h...............k..............!h.............. h.a......`.Y...#h....8.........$hpk......8....."h.$......P&....'h..............1h>o|.<.........0h....4....8k../h....h.....8kH..hX...p....Y...-h .........Y...+h.o|......Y................. ..............F7..............FIPM.Activity....Form....Standard....Journal Entry...IPM.Microsoft.FolderDesign.FormsDescription................F.k..........1122110020000000.GwwMicrosoft...This form is used to create journal entries.........kf...... ..........&...........(.......(... ...@.....................................................................................................................fffffffff........wwwwwwww.p....pp..............p...............pw..............pw..DDDDO..

                    C:\Users\user\AppData\Local\Microsoft\Office\16.0\AddInClassifierCache\OfficeSharedEntities.bin

                    Download File
                    Process:C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE
                    File Type:ASCII text, with very long lines (65536), with no line terminators
                    Category:dropped
                    Size (bytes):322260
                    Entropy (8bit):4.000299760592446
                    Encrypted:false
                    SSDEEP:6144:dztCFLNyoAHq5Rv2SCtUTnRe4N2+A/3oKBL37GZbTSB+pMZIrh:HMLgvKz9CtgRemO3oUHi3SBSMZIl
                    MD5:CC90D669144261B198DEAD45AA266572
                    SHA1:EF164048A8BC8BD3A015CF63E78BDAC720071305
                    SHA-256:89C701EEFF939A44F28921FD85365ECD87041935DCD0FE0BAF04957DA12C9899
                    SHA-512:16F8A8A6DCBAEAEFB88C7CFF910BCCC71B76A723CF808B810F500E28E543112C2FAE2491D4D209569BD810490EDFF564A2B084709B02963BCAF6FDF1AEEC59AC
                    Malicious:false
                    Reputation:high, very likely benign file
                    Preview:51253fe60063c31af0d295afb42228b0:v2:2:1:1590:2:8479:76bd602437550e98c9043d06a55186ab7d95dea5a0e935a599f73e62a8c9b158e0afcb19351f6c353940c06a38172b94d18c02cf92bb8a80184eccca0392b259ab3e71dae73e491c7941997cb36ad4a198661f622dad478d840f66d530a0dde78acea3367f91fff62fbb3dc18faff0c708ad30edef5bea8b22c5fd782b770d8993386eaa784fd19a3c3e1db3b537b1a94d3d4fbd46f8df8fddf6d16611969fe0a97c50e0f3ac24750c93257cf5c161184aa7385800c87d803b339632a3d8ec7fe17a0afd83ce9e9d0e3f7b8d579637928a811f1f7e6d1887df2ddc7d4f752c4d600235e426c92c7bf8a1362f95457998cc0e5d4261f0efa4fada0f866dbcefb407dacab7a2914e91c2f08200f38c2d9d621962145b1464b0f204b326118a53ecdcab22bff005fdd5257c99a6dc51ac0600a49f2ef782396987e78c08b846dad5db55e8ccefffc64863bc2c3e90b95a09d25d0814a848c98fe01a82d4e30e6682dd546e12c45ca0d280a45295ab4bd632dafb070edfdc3c9e38313d5aeb195972986f8011b66817028fd8c78b67a0ac7e780eecc3fb6a31f5a025b8a9a3db278a98c0696aeaac739b18688b0f9c7d751bba02cc5f4e41853fb119b3c0c915059aaa92971244a1989124f12881ca88e6410df70b793a2c3a736ff4

                    C:\Users\user\AppData\Local\Microsoft\Office\16.0\AddInClassifierCache\OfficeSharedEntitiesUpdated.bin

                    Download File
                    Process:C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE
                    File Type:ASCII text, with no line terminators
                    Category:dropped
                    Size (bytes):10
                    Entropy (8bit):2.5219280948873624
                    Encrypted:false
                    SSDEEP:3:LCfcbc:ucbc
                    MD5:528CEC9BDB9907838279B0EACA5CDA93
                    SHA1:03389A55620878C13A3959F97EA3D103621CBBD4
                    SHA-256:EB36F269F9101F6F7C35F4B0BDCC46A259557629E76681793FB26B93AC757121
                    SHA-512:CBF609ADEB86E707BE77A0149F780CF90F1CA46D24ACDAFD3FB80AA7C4CD43CFFB3CDC6DFB97670D04EA3BFC9FFFAF4A4B9A0AFFC01D8992DADB83EFC85CAF55
                    Malicious:false
                    Reputation:low
                    Preview:1727889629

                    C:\Users\user\AppData\Local\Microsoft\Office\16.0\WebServiceCache\AllUsers\officeclient.microsoft.com\9297CC53-F8BD-4F4A-9418-01A4E8653192

                    Download File
                    Process:C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE
                    File Type:XML 1.0 document, ASCII text, with CRLF line terminators
                    Category:dropped
                    Size (bytes):177088
                    Entropy (8bit):5.2867330494151314
                    Encrypted:false
                    SSDEEP:1536:Oi2XfRAqcbH41gwEwLe7HW8bM/o/NM5cAZl1p5ihs7EXXCEAD2OdaLI:7Ce7HW8bM/o/9XPkiI
                    MD5:BA62CF5541D5B6ED4C73E0FA11A16361
                    SHA1:39E3C9E07D9BD615C8E5BE298DBBBD1D55C27712
                    SHA-256:53718B81F060AB6D8838D1B65307B86BD07E6043C5480E43658489EF97CD38B1
                    SHA-512:F3C29BDF7A20D414AC23CB45ECBEED7CCED66AD47D877ADACBE5FBB1BAB1614467F0E144F4F9A10171449C184308785D83EF2B1CEAEF536B7A00108B9F815BA7
                    Malicious:false
                    Reputation:low
                    Preview:<?xml version="1.0" encoding="utf-8"?>..<o:OfficeConfig xmlns:o="urn:schemas-microsoft-com:office:office">.. <o:services o:GenerationTime="2024-10-02T17:20:28">.. Build: 16.0.18112.40129-->.. <o:default>.. <o:ticket o:headerName="Authorization" o:headerValue="{}" />.. </o:default>.. <o:service o:name="Research">.. <o:url>https://word-edit.officeapps.live.com/we/rrdiscovery.ashx</o:url>.. </o:service>.. <o:service o:name="ORedir">.. <o:url>https://o15.officeredir.microsoft.com/r</o:url>.. </o:service>.. <o:service o:name="ORedirSSL">.. <o:url>https://o15.officeredir.microsoft.com/r</o:url>.. </o:service>.. <o:service o:name="ClViewClientHelpId" o:authentication="1">.. <o:url>https://[MAX.BaseHost]/client/results</o:url>.. <o:ticket o:policy="MBI_SSL_SHORT" o:idprovider="1" o:target="[MAX.AuthHost]" o:headerValue="Passport1.4 from-PP='{}&amp;p='" />.. <o:ticket o:idprovider="3" o:headerValue="Bearer {}" o:resourceId="[

                    C:\Users\user\AppData\Local\Microsoft\Office\OTele\outlook.exe.db

                    Download File
                    Process:C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE
                    File Type:SQLite 3.x database, last written using SQLite version 3034001, writer version 2, read version 2, file counter 2, database pages 1, cookie 0, schema 0, largest root page 1, unknown 0 encoding, version-valid-for 2
                    Category:dropped
                    Size (bytes):4096
                    Entropy (8bit):0.09304735440217722
                    Encrypted:false
                    SSDEEP:3:lSWFN3l/klslpEl9Xll:l9F8E+9
                    MD5:D0DE7DB24F7B0C0FE636B34E253F1562
                    SHA1:6EF2957FDEDDC3EB84974F136C22E39553287B80
                    SHA-256:B6DC74E4A39FFA38ED8C93D58AADEB7E7A0674DAC1152AF413E9DA7313ADE6ED
                    SHA-512:42D00510CD9771CE63D44991EA10C10C8FBCF69DF08819D60B7F8E7B0F9B1D385AE26912C847A024D1D127EC098904784147218869AE8D2050BCE9B306DB2DDE
                    Malicious:false
                    Reputation:high, very likely benign file
                    Preview:SQLite format 3......@ ..........................................................................K.....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                    C:\Users\user\AppData\Local\Microsoft\Office\OTele\outlook.exe.db-journal

                    Download File
                    Process:C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE
                    File Type:SQLite Rollback Journal
                    Category:dropped
                    Size (bytes):4616
                    Entropy (8bit):0.13784977103055013
                    Encrypted:false
                    SSDEEP:3:7FEG2l+y+cll4/FllkpMRgSWbNFl/sl+ltlslN04l9Xll4:7+/lNjIg9bNFlEs1E39g
                    MD5:ADBB4942E5593B88BC6D05D8FF0B2701
                    SHA1:107F61B94B5FC78DBE37259DE8B23613392EE9DD
                    SHA-256:DEB8E3C539E9B04641A25DC3FBBBA025B5A343B50C3C8BF0DE53D9159F3A262C
                    SHA-512:2989F073B1F2698EE014C5CB006322ADD2EA3758E89DC0978D368A10ECD2D2D932A56AD231460B0FA3B4A8BF79C54FD911EDC38573B1D632065613F9FF03E86C
                    Malicious:false
                    Reputation:low
                    Preview:.... .c.......e.....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................SQLite format 3......@ ..........................................................................K.................................................................................................................................................................................................................................................................................................................................................................................................

                    C:\Users\user\AppData\Local\Microsoft\Office\OTele\outlook.exe.db-shm

                    Download File
                    Process:C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE
                    File Type:data
                    Category:dropped
                    Size (bytes):32768
                    Entropy (8bit):0.04437444944341713
                    Encrypted:false
                    SSDEEP:3:G4l2/98YY0HNl2/98YYsltlWlL9//Xlvlll1lllwlvlllglbXdbllAlldl+l:G4l23Rl234L9XXPH4l942U
                    MD5:9501434DC79A8632003CC1CBC0289D49
                    SHA1:6C97DA0D815D300953CA3F92EB378830DCFBB327
                    SHA-256:F6C97FD5DBD11E397B284C5EC8E0B1DE3E68100597824FF362E7A17014F5CCFC
                    SHA-512:AE5422772060A2953871DB0B2B5D83EE2B9A2F2DECE68142E26087FC8BB5B51C4FF27272113737F6D81E15B1760E6B4CF45C28D4CF469A10241FE3AEDD30DEB9
                    Malicious:false
                    Reputation:low
                    Preview:..-................................=...t.'.......-................................=...t.'.............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                    C:\Users\user\AppData\Local\Microsoft\Office\OTele\outlook.exe.db-wal

                    Download File
                    Process:C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE
                    File Type:SQLite Write-Ahead Log, version 3007000
                    Category:modified
                    Size (bytes):45352
                    Entropy (8bit):0.3935808546021306
                    Encrypted:false
                    SSDEEP:24:K84Xp8QMIzRDtPill7DBtDi4kZERD4Q8xqt8VtbDBtDi4kZERDulC:JWCQjBPill7DYMExxO8VFDYM8
                    MD5:A63C376DD493FF2A64749923C4698A14
                    SHA1:DB92996F15C25871FF3572C665A798FC9E78FD12
                    SHA-256:0BAFB8256F258F5EDC3C129479A4E2AA8ABA6DC380AE496DEB10C2B6EAFC99F1
                    SHA-512:19125F9D184781073148017E9F5B621F6493A08E2CF27C02F1ED88DEB711087ADD92B5C59BDEC72F62C5866899FDE1026357ED9D0F96C410D7DEDDC3F72A8F1A
                    Malicious:false
                    Preview:7....-.............=...t....?7=............=...t....AE..SQLite format 3......@ ..........................................................................K.............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                    C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\Content.Word\~WRS{9DCC211D-EAC1-4E74-A6A2-9A6277738163}.tmp

                    Download File
                    Process:C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE
                    File Type:data
                    Category:dropped
                    Size (bytes):6160
                    Entropy (8bit):3.627314080840486
                    Encrypted:false
                    SSDEEP:96:bYubil1Kuczsry6H+gXD4z0X1+vbX1gj7MYZYmBVD4z0X1+v7X1:bYvOqNDcmMSDc
                    MD5:A83655C38888A268838A4C98FEB6514B
                    SHA1:1A1459313CF6B89FE4B01FF3EF51D730B333EB22
                    SHA-256:DF3969AE44B59E5068F4F5EBA9561D7C40BD1205A7574DE61834FD98308C27B1
                    SHA-512:A41A94537E43003236FDBCC60DCF51067DECC35A986E4A345677179E585B5D0F17963CE3B54423F3155649F314C383C58CBAAB7DAE0CDDFF6C1FD3B967DC86F1
                    Malicious:false
                    Preview:......-.-.-...S.e.n.t. .f.r.o.m. .H.Y.P.E.R.L.I.N.K. .".h.t.t.p.s.:././.w.h.a.t.i.s.w.o.r.k.s.p.a.c.e.o.n.e...c.o.m./.b.o.x.e.r."...........................................................................................................................................................................................................................................................................................................................................................................................................p.......V...Z...........................................`.............................................................................................................................................................................................................................................................................................................................................*...$..$.If........!v..h.#v....:V.......t.....6......5.......4........4........a......

                    C:\Users\user\AppData\Local\Temp\Diagnostics\OUTLOOK\App1727889624801033200_214F7CD1-3E19-4AD3-B2F8-B86654478AD0.log

                    Download File
                    Process:C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE
                    File Type:ASCII text, with very long lines (28743), with CRLF line terminators
                    Category:dropped
                    Size (bytes):20971520
                    Entropy (8bit):0.1761565832114809
                    Encrypted:false
                    SSDEEP:1536:ZFHOFI/LUBTLXPl8MGXibMyJCvWprnUtjyfsZ87lR6JuQvDnoqB69qewDF:KgLuPPlumEhGsZ8eSqew
                    MD5:0CF6CF475D6D8A3470250DF8FE69F816
                    SHA1:00156B00154B4956E1E5569EBAB5699D14051264
                    SHA-256:B3455510678B4FF0FA6B14F99CC53A4BBA46E80D898D15E644EDEE6E1C27B0FB
                    SHA-512:CEE560835FC1F8A94EDCF49DFC3D4DA14F951EFCC959DB55F223EA3465F0F6916E306A82B5E80ACC0ED146F92E46D08A57FF889C0DB4D6CD55F99365D3D8978F
                    Malicious:false
                    Preview:Timestamp.Process.TID.Area.Category.EventID.Level.Message.Correlation..10/02/2024 17:20:24.965.OUTLOOK (0x184C).0x13F4.Microsoft Outlook.Telemetry Event.b7vzq.Medium.SendEvent {"EventName":"Office.Text.GDIAssistant.HandleCallback","Flags":30962256044949761,"InternalSequenceNumber":21,"Time":"2024-10-02T17:20:24.965Z","Contract":"Office.System.Activity","Activity.CV":"0XxPIRk+00qy+LhmVEeK0A.4.9","Activity.Duration":14,"Activity.Count":1,"Activity.AggMode":0,"Activity.Success":true,"Data.GdiFamilyName":"","Data.CloudFontStatus":6,"Data.CloudFontTypes":256}...10/02/2024 17:20:24.981.OUTLOOK (0x184C).0x13F4.Microsoft Outlook.Telemetry Event.b7vzq.Medium.SendEvent {"EventName":"Office.Text.ResourceClient.Deserialize","Flags":30962256044949761,"InternalSequenceNumber":23,"Time":"2024-10-02T17:20:24.981Z","Contract":"Office.System.Activity","Activity.CV":"0XxPIRk+00qy+LhmVEeK0A.4.10","Activity.Duration":12877,"Activity.Count":1,"Activity.AggMode":0,"Activity.Success":true,"Data.JsonFileMajorV

                    C:\Users\user\AppData\Local\Temp\Diagnostics\OUTLOOK\App1727889624801764300_214F7CD1-3E19-4AD3-B2F8-B86654478AD0.log

                    Download File
                    Process:C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE
                    File Type:data
                    Category:dropped
                    Size (bytes):20971520
                    Entropy (8bit):0.0
                    Encrypted:false
                    SSDEEP:3::
                    MD5:8F4E33F3DC3E414FF94E5FB6905CBA8C
                    SHA1:9674344C90C2F0646F0B78026E127C9B86E3AD77
                    SHA-256:CD52D81E25F372E6FA4DB2C0DFCEB59862C1969CAB17096DA352B34950C973CC
                    SHA-512:7FB91E868F3923BBD043725818EF3A5D8D08EBF1059A18AC0FE07040D32EEBA517DA11515E6A4AFAEB29BCC5E0F1543BA2C595B0FE8E6167DDC5E6793EDEF5BB
                    Malicious:false
                    Preview:........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                    C:\Users\user\AppData\Local\Temp\Outlook Logging\OUTLOOK_16_0_16827_20130-20241002T1320240371-6220.etl

                    Download File
                    Process:C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE
                    File Type:data
                    Category:dropped
                    Size (bytes):94208
                    Entropy (8bit):4.4579840291494826
                    Encrypted:false
                    SSDEEP:1536:Y4Li9ZDcHNsSZ5QhyKaTPHHzvDHD83DXZ22d:Y4LizDbXA2d
                    MD5:2D5A6FCDDD8E159DDD830C35620AEE05
                    SHA1:86766AA4961B7FAA383EF2BE0C7D350DD2A64842
                    SHA-256:57DCE4FE9E6090FC7EDE6F48E6C4A5E542B2C08243A6AF6011D5569147C515F8
                    SHA-512:2597EC0D074A092A9E656F916219AFECEDC03DF76E7C88B9F27B865826CFA989232CFFD1DFA3F0EFF43F27CF2379BFC6AD7636C93584F28B7E0FCDD1FD4FA01F
                    Malicious:false
                    Preview:............................................................................`.......L...%3.]....................eJ..............Zb..2...................................,...@.t.z.r.e.s...d.l.l.,.-.1.1.2.......................................................@.t.z.r.e.s...d.l.l.,.-.1.1.1............................................................4..[...........%3.]............v.2._.O.U.T.L.O.O.K.:.1.8.4.c.:.4.5.5.e.f.7.c.9.a.2.9.f.4.0.3.9.9.6.9.e.c.b.4.d.6.2.9.a.b.4.f.b...C.:.\.U.s.e.r.s.\.t.i.n.a.\.A.p.p.D.a.t.a.\.L.o.c.a.l.\.T.e.m.p.\.O.u.t.l.o.o.k. .L.o.g.g.i.n.g.\.O.U.T.L.O.O.K._.1.6._.0._.1.6.8.2.7._.2.0.1.3.0.-.2.0.2.4.1.0.0.2.T.1.3.2.0.2.4.0.3.7.1.-.6.2.2.0...e.t.l.......P.P.....L...%3.]............................................................................................................................................................................................................................................................................................................

                    C:\Users\user\AppData\Local\Temp\~DF66E8F999B88829A8.TMP

                    Download File
                    Process:C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE
                    File Type:data
                    Category:dropped
                    Size (bytes):163840
                    Entropy (8bit):0.38090196844219326
                    Encrypted:false
                    SSDEEP:192:Idv72NK+g/LjDFXj+B68nsCNW0yrEfxAmWlD4e5ca9NgiXHW3OuqAbAFAqwNh/:82NKl/lUFnhNQWxAbB4e5cpiXHvuqMu
                    MD5:11D41110C75A9AB8402F373EE751C8B0
                    SHA1:8D47358573F42AFFC38F26A0BD5670B343A857D9
                    SHA-256:6C901C3F5092BBAA1A8EACF90F6800A150A5126F6F6C5CAC8A5C491E2835413D
                    SHA-512:C98B7A360CD726786E4EC2076DF55710E16AFB96806E4D008EDF5F89336EF39CC5B4C32F6CE59960169F4AA7B6C1ED1CC544316D4825B5849822E1D72F5AFB6C
                    Malicious:false
                    Preview:........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                    C:\Users\user\AppData\Roaming\Microsoft\Office\MSO3072.acl

                    Download File
                    Process:C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE
                    File Type:data
                    Category:dropped
                    Size (bytes):30
                    Entropy (8bit):1.2389205950315936
                    Encrypted:false
                    SSDEEP:3:P/Z:
                    MD5:FC117A61E9609FADD88A42385C2DEFCE
                    SHA1:AB76A218E12B246D0A5E513FC8422165E53DBD2A
                    SHA-256:09F0AA6D6A2E46BBA6131B13CBE551A3F99CC00A8DB09E5A16C8FD5E37D22C0E
                    SHA-512:0197EA7DECA5C8FFF52D65A92A9681271A5A1AE4A8D48ABD467FFE41437E2B3B539B2856C60AB8B63853391A4986D55AC3C38E98B731E92949976ABDD053C591
                    Malicious:false
                    Preview:.....Z........................

                    C:\Users\user\AppData\Roaming\Microsoft\Outlook\NoEmail.srs

                    Download File
                    Process:C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE
                    File Type:Composite Document File V2 Document, Cannot read section info
                    Category:dropped
                    Size (bytes):16384
                    Entropy (8bit):0.6692060260279478
                    Encrypted:false
                    SSDEEP:12:rl3baFVZqLKeTy2MyheC8T23BMyhe+S7wzQP9zNMyhe+S7xMyheCeB1L:rMwmnq1Py961CL
                    MD5:DB867D3BE3463D6323786C54FD04E7CF
                    SHA1:F1C9624665FBE545747F5F0132D1EEC9A3F85DAB
                    SHA-256:2BC1E06CD52612570490777F43B4E9CFE52453064076F3FAA74F7290818BF13D
                    SHA-512:A75478B6F24F293820630A76B2DFF6F94093AD48F2DCAC437096DFA39BF436AED6E433494774F5B01BAE35FC2455869BE45534BD589E0249A1E6E87AAD239BF8
                    Malicious:false
                    Preview:......................>...............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                    C:\Users\user\Documents\Outlook Files\Outlook Data File - NoEmail.pst

                    Download File
                    Process:C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE
                    File Type:Microsoft Outlook email folder (>=2003)
                    Category:dropped
                    Size (bytes):271360
                    Entropy (8bit):1.5249009430001406
                    Encrypted:false
                    SSDEEP:768:u8QcPeVab1Agvy2PLj6cCO98P8IfGAxmAw5xpJtNVTI:EwRvy2jj6cCO9IRw5xTtg
                    MD5:94BFE6196BB93430DF966E228FC11A3A
                    SHA1:01B0B8188BFE0E137C9819A2019A639906B03E24
                    SHA-256:4EDF8FAC825DF58E384BE30DF7803277144440029A467998822FB282A90604D4
                    SHA-512:F2EA7EAFE1F280C585F25014C671BC66989C49DA0478963F1667E5A5C8C160A4EC8FAF077AA094756E485D1EC872FB6ECCFA69B012BECC68560FC3787FC412EA
                    Malicious:false
                    Preview:!BDNz.a$SM......\...|W...*..............\................@...........@...@...................................@...........................................................................$.......D..................................................................................................................................................................................................................................................................................................................................@...................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                    C:\Users\user\Documents\Outlook Files\~Outlook Data File - NoEmail.pst.tmp

                    Download File
                    Process:C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE
                    File Type:OpenPGP Public Key
                    Category:dropped
                    Size (bytes):131072
                    Entropy (8bit):1.0116757038834272
                    Encrypted:false
                    SSDEEP:192:j8AxxaVj6Ftsl7IDW4c5JLSrzEiJdF1L/B/huLryP/U/OgHeww/QMbIxPjvfT:IAx0s+l7uWR5RiR9ufyHWO+9OQcIxPj
                    MD5:7BDD69DEE5C853F220257C9DF07DFC4B
                    SHA1:906E8B6221330E877B087E975F13A36833F1B6AF
                    SHA-256:386B8B9B9154809136C83A08D84D549221C0DDE4CCA35B79D6FE869A773DB824
                    SHA-512:23AAE792F495E08A2CDB15671AF401E419B28BB24AC0C13346933FB6A0A91BA2133858578052D8A6A04554DC1CB8B78DDC5570FE4A28CBE4D33BE510D700D163
                    Malicious:false
                    Preview:.k.@0...V.......L......[.........D............#................|....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................r..p.D......,b..0...W.......L......[.........B............#.........................................................................................................................................................................................................................................................................................................................................................................................................

                    Static File Info

                    General

                    File type:CDFV2 Microsoft Outlook Message
                    Entropy (8bit):3.8340678727506248
                    TrID:
                    • Outlook Message (71009/1) 58.92%
                    • Outlook Form Template (41509/1) 34.44%
                    • Generic OLE2 / Multistream Compound File (8008/1) 6.64%
                    File name:Fwd UPS Needs Info for Customs Clearance - 1Z8809676740430639.msg
                    File size:57'344 bytes
                    MD5:c72f54d8d9136005ae5b18a955ed1c44
                    SHA1:eb9ce2a4870573facdc886ed69ba4f7764652f80
                    SHA256:43259db3feeb8aba5774ab20c2bd61f29ddb30d76a40b4c5ee966d8b73ec62d5
                    SHA512:c881b4ac6cb3abfcc5cd2eee0a82ef6b3a31320c03f9441ab42d13fc3813e0c1cfde9cece83860cd2a0dab3c0e60afc389e6a3f31b98ffa9998016755ac569af
                    SSDEEP:768:VqjSuVNfWUF/UiaFzQQM1EQ0dH8tNYQRbD4uB0NkK4e5c:IjSutFA5QQMuQ0dS30
                    TLSH:B643BD2136F94619F27BAF7249F680979536BC92ED25CA8F3191330F0572981A871F3B
                    File Content Preview:........................>......................................................................................................................................................................................................................................

                    Static Mail

                    General

                    Subject:Fwd: UPS Needs Info for Customs Clearance - 1Z8809676740430639
                    From:"Watson, Warren" <wwatson@markham.ca>
                    To:Spam Report <SpamReport@markham.ca>
                    Cc:
                    BCC:
                    Date:Wed, 02 Oct 2024 15:35:15 +0200
                    Communications:
                    • --- Sent from Workspace ONE Boxer <https://whatisworkspaceone.com/boxer> ---------- Forwarded message ---------- From: UPS Customs Clearance Update <noreply@ups.com> Date: October 1, 2024 at 10:17:34PM EDT Subject: UPS Needs Info for Customs Clearance - 1Z8809676740430639 To: Watson, Warren <wwatson@markham.ca> CAUTION: This email originated from a source outside the City of Markham. DO NOT CLICK on any links or attachments, or reply unless you recognize the sender and know the content is safe. <https://www.ups.com/assets/resources/images/UPS_logo.png> We're missing some information for your shipment Act now to prevent further delay. 1Z8809676740430639 from COLE KEPRO INTERNATIONAL LLC Add Information > <https://ucix-global.ups.com/customer/auth?uid=23734b88-3a5c-4457-e063-eeb1869c23d9&tId=80674570-24db-4315-b0c5-672a0928e2b2&cId=1muYVhRIdOe3oGA1Ee2V9Q%3D%3D&mId=O0AW2y%2F0ECbROylmVJuqaQ%3D%3D&lang=en&scId=1muYVhRIdOe3oGA1Ee2V9Q%3D%3D> Customs may hold your package if it doesn't have enough information. Il nous manque certaines informations pour votre envoi Agissez maintenant pour viter de nouveaux retards. 1Z8809676740430639 depuis COLE KEPRO INTERNATIONAL LLC Ajouter des informations > <https://ucix-global.ups.com/customer/auth?uid=23734b88-3a5c-4457-e063-eeb1869c23d9&tId=80674570-24db-4315-b0c5-672a0928e2b2&cId=1muYVhRIdOe3oGA1Ee2V9Q%3D%3D&mId=O0AW2y%2F0ECbROylmVJuqaQ%3D%3D&lang=fr-ca&scId=1muYVhRIdOe3oGA1Ee2V9Q%3D%3D> Les douanes peuvent retenir votre colis s'il ne contient pas suffisamment d'informations. 2024 United Parcel Service of America, Inc. UPS, the UPS brandmark, and the color brown are the trademarks of United Parcel Service of America, Inc. All rights reserved. Please do not reply to this email. 2024 United Parcel Service of America, Inc. UPS, la marque UPS et la couleur marron sont les marques dposes de United Parcel Service of America, Inc. Tous droits rservs. S'il vous plait ne rpondez pas cet email.
                    Attachments:

                      Headers

                      Key Value
                      Receivedfrom YT1PR01MB8697.CANPRD01.PROD.OUTLOOK.COM
                      15.1.2507.35 via Mailbox Transport; Wed, 2 Oct 2024 0935:20 -0400
                      15.1.2507.35; Wed, 2 Oct 2024 0935:17 -0400
                      15.1.2507.35 via Frontend Transport; Wed, 2 Oct 2024 0935:17 -0400
                      ARC-Seali=1; a=rsa-sha256; s=arcselector10001; d=microsoft.com; cv=none;
                      ARC-Message-Signaturei=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com;
                      h=FromDate:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck;
                      ARC-Authentication-Resultsi=1; mx.microsoft.com 1; spf=pass
                      DKIM-Signaturev=1; a=rsa-sha256; c=relaxed/relaxed; d=markham.ca;
                      by QB1PPF5B2AECBFF.CANPRD01.PROD.OUTLOOK.COM (260310b6:c08::244) with
                      2024 1335:16 +0000
                      ([fe80:bbe2:914f:8c82:f548%4]) with mapi id 15.20.8026.016; Wed, 2 Oct 2024
                      1335:15 +0000
                      Content-Typemultipart/mixed;
                      From"Watson, Warren" <wwatson@markham.ca>
                      ToSpam Report <SpamReport@markham.ca>
                      SubjectFwd: UPS Needs Info for Customs Clearance - 1Z8809676740430639
                      Thread-TopicUPS Needs Info for Customs Clearance - 1Z8809676740430639
                      Thread-IndexAQHbFHE+dQdq1UayLUSUaFlY3G/3mbJzdvGL
                      DateWed, 2 Oct 2024 13:35:15 +0000
                      Message-ID<B7BB5044-180F-4D35-A058-4D17733A3043@markham.ca>
                      References<527788841.940079.1727835449376.JavaMail.beawl@mahsmtpappspp.ups.com>
                      In-Reply-To<527788841.940079.1727835449376.JavaMail.beawl@mahsmtpappspp.ups.com>
                      Accept-Languageen-US
                      Content-Languageen-US
                      X-MS-Has-AttachX-MS-TNEF-Correlator: <B7BB5044-180F-4D35-A058-4D17733A3043@markham.ca>
                      authentication-resultsdkim=none (message not signed)
                      x-ms-publictraffictypeEmail
                      x-ms-traffictypediagnosticYT1PR01MB8697:EE_|QB1PPF5B2AECBFF:EE_
                      x-ms-office365-filtering-correlation-id663e6e04-5ffd-453a-76bd-08dce2e70c6a
                      x-ld-processed0f65dc8a-9589-4971-8749-84de0478ddac,ExtAddr
                      x-microsoft-antispamBCL:0;ARA:13230040|69100299015|366016|41050700001;
                      x-microsoft-antispam-message-infoUqOk1155Z6KgXWKo6aUA8l0HTcvtDV1XwVjMocMRtZLHpbhW1QV3Qr1vX3fEbUsmG//dt/rxrSv/vvfmdxBZR7/dhW/92M1JhAda3TjDZHkx3sGfCO+RJnwLfSp3RQhr4XOku5Ex0CRJtAwsflzBhy1skgieBxjTuzrJA9/cJ8/Q5h4p2Xvvvk4uYWXXOUgdz1FI0wGspn4oGQNTLr3Cuv2s6s5Uhx8ctTqttwusbVOXx0swffyE00KX8QqDQBX1J8AWXc0AE4DcuC0+ZOjc7nj/zR90v7dC0vuEy/XxJB8LXjjscqOLiIRRN9+qp1HpV9qqsnDWrQvNYNgwAk5srvKyMcHMeKqc8a+eiFo77pVp5lcNn6TL7U2FW/jjKjnXzNcg6GBxztB3RM0sUvWax30qqkQmrfsMNp1qagvaXCZwi/Km1SJbHu6lNxoBfKugYzv4+seq9+qTCqf9AUL6o3oebrgGTw/RqtQJWyGkSGLbZ/e4rG4Ju1Fzm7XUI1btLXU96wsXlGhxAD6D1OpTxpYebjyTuh9D9mKwmFAT0ZNX7LOvxVoweaCTqpHM5tU7jG7ZwrONItf8kdAIjp1YrEUVgz0hGGnONtm4I575MFelloYOWLzYov72M6l8ijgaZIQGUolov8d2O1gmTFa9ql0ma3IliEi7CUVmEltedXxBiaW5+JFPqsHwYlZ7WMwkZuJosKmbL1+lPYieFOw7Q82ieIpbwKNDRqBqiFhC74qDqXGMUsNJCC0XDq54rFiSRPi8RrHGgH9zjizbKD+rkQ==
                      x-forefront-antispam-reportCIP:255.255.255.255;CTRY:;LANG:en;SCL:1;SRV:;IPV:NLI;SFV:NSPM;H:YT1PR01MB8697.CANPRD01.PROD.OUTLOOK.COM;PTR:;CAT:NONE;SFS:(13230040)(69100299015)(366016)(41050700001);DIR:INT;
                      MIME-Version1.0
                      X-MS-Exchange-CrossTenant-AuthAsInternal
                      X-MS-Exchange-CrossTenant-AuthSourceYT1PR01MB8697.CANPRD01.PROD.OUTLOOK.COM
                      X-MS-Exchange-CrossTenant-Network-Message-Id663e6e04-5ffd-453a-76bd-08dce2e70c6a
                      X-MS-Exchange-CrossTenant-originalarrivaltime02 Oct 2024 13:35:15.3289
                      X-MS-Exchange-CrossTenant-fromentityheaderHosted
                      X-MS-Exchange-CrossTenant-id0f65dc8a-9589-4971-8749-84de0478ddac
                      X-MS-Exchange-CrossTenant-mailboxtypeHOSTED
                      X-MS-Exchange-CrossTenant-userprincipalnamew7NPIAvp4XhW1smkBjq0LQx+4Vjmy0ZuiAfQKL0mEPatX5XzzOUPUk3dIHBsPbVK
                      X-MS-Exchange-Transport-CrossTenantHeadersStampedQB1PPF5B2AECBFF
                      X-OrganizationHeadersPreservedQB1PPF5B2AECBFF.CANPRD01.PROD.OUTLOOK.COM
                      Return-Pathwwatson@markham.ca
                      X-MS-Exchange-Organization-Network-Message-Id9259c070-b76b-4a92-7b66-08dce2e70de4
                      X-MS-Exchange-Organization-AuthAsInternal
                      X-MS-Exchange-Organization-AuthMechanism04
                      X-MS-Exchange-Organization-AuthSourceYT1PR01MB8697.CANPRD01.PROD.OUTLOOK.COM
                      X-MS-Exchange-Organization-SCL1
                      X-CrossPremisesHeadersPromotedWDNVMHIN128.markham.ca
                      X-CrossPremisesHeadersFilteredWDNVMHIN128.markham.ca
                      X-MS-Exchange-Organization-AVStamp-Enterprise1.0
                      X-OriginatorOrgmarkham.ca
                      X-MS-Exchange-Transport-EndToEndLatency00:00:02.9230447
                      X-MS-Exchange-Processed-By-BccFoldering15.01.2507.035
                      dateWed, 02 Oct 2024 15:35:15 +0200

                      File Icon

                      Icon Hash:c4e1928eacb280a2

                      Network Behavior

                      No network behavior found

                      Statistics

                      CPU Usage

                      Click to jump to process

                      Memory Usage

                      Click to jump to process

                      High Level Behavior Distribution

                      Click to dive into process behavior distribution

                      Behavior

                      Click to jump to process

                      System Behavior

                      General

                      Target ID:0
                      Start time:13:20:21
                      Start date:02/10/2024
                      Path:C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE
                      Wow64 process (32bit):true
                      Commandline:"C:\Program Files (x86)\Microsoft Office\Root\Office16\OUTLOOK.EXE" /f "C:\Users\user\Desktop\Fwd UPS Needs Info for Customs Clearance - 1Z8809676740430639.msg"
                      Imagebase:0x320000
                      File size:34'446'744 bytes
                      MD5 hash:91A5292942864110ED734005B7E005C0
                      Has elevated privileges:true
                      Has administrator privileges:true
                      Programmed in:C, C++ or other language
                      Reputation:high
                      Has exited:false

                      General

                      Target ID:3
                      Start time:13:20:26
                      Start date:02/10/2024
                      Path:C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Office16\ai.exe
                      Wow64 process (32bit):false
                      Commandline:"C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Office16\ai.exe" "02BC0F51-100C-414A-86A8-520306ED225E" "CCF64258-7661-4EF1-9DDE-0E2313AFEAB8" "6220" "C:\Program Files (x86)\Microsoft Office\Root\Office16\OUTLOOK.EXE" "WordCombinedFloatieLreOnline.onnx"
                      Imagebase:0x7ff6c8e70000
                      File size:710'048 bytes
                      MD5 hash:EC652BEDD90E089D9406AFED89A8A8BD
                      Has elevated privileges:true
                      Has administrator privileges:true
                      Programmed in:C, C++ or other language
                      Reputation:high
                      Has exited:false

                      Disassembly

                      No disassembly